Edit tour

Windows Analysis Report
Order Details.exe

Overview

General Information

Sample name:	Order Details.exe
Analysis ID:	1592377
MD5:	06c48ef3e45a7dafedbd596368918830
SHA1:	6ec2e82db6d702ddc0f4b302a4d8f02fd4c36c36
SHA256:	1e2333cb4fb3ecca06d22bb3b6255e5ac62b7ba43c3bceb8c17252657f34ba1e
Tags:	exeuser-threatcat_ch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Order Details.exe (PID: 2032 cmdline: "C:\Users\user\Desktop\Order Details.exe" MD5: 06C48EF3E45A7DAFEDBD596368918830)

Order Details.exe (PID: 908 cmdline: "C:\Users\user\Desktop\Order Details.exe" MD5: 06C48EF3E45A7DAFEDBD596368918830)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "frankichong@yulifertilizer.com.my", "Password": "Ayfc931319*", "Host": "yulifertilizer.com.my", "Port": "25", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1494c:$a1: get_encryptedPassword 0x14c38:$a2: get_encryptedUsername 0x14758:$a3: get_timePasswordChanged 0x14853:$a4: get_passwordField 0x14962:$a5: set_encryptedPassword 0x15fc5:$a7: get_logins 0x15f28:$a10: KeyLoggerEventArgs 0x15b93:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182e0:$x1: $%SMTPDV$ 0x18346:$x2: $#TheHashHere%& 0x199af:$x3: %FTPDV$ 0x19aa3:$x4: $%TelegramDv$ 0x15b93:$x5: KeyLoggerEventArgs 0x15f28:$x5: KeyLoggerEventArgs 0x199d3:$m2: Clipboard Logs ID 0x19bf3:$m2: Screenshot Logs ID 0x19d03:$m2: keystroke Logs ID 0x19fdd:$m3: SnakePW 0x19bcb:$m4: \SnakeKeylogger\
00000000.00000002.1679581061.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
00000001.00000002.4156338198.000000000351C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x56d3c:$a1: get_encryptedPassword 0x7796c:$a1: get_encryptedPassword 0x9838c:$a1: get_encryptedPassword 0x57028:$a2: get_encryptedUsername 0x77c58:$a2: get_encryptedUsername 0x98678:$a2: get_encryptedUsername 0x56b48:$a3: get_timePasswordChanged 0x77778:$a3: get_timePasswordChanged 0x98198:$a3: get_timePasswordChanged 0x56c43:$a4: get_passwordField 0x77873:$a4: get_passwordField 0x98293:$a4: get_passwordField 0x56d52:$a5: set_encryptedPassword 0x77982:$a5: set_encryptedPassword 0x983a2:$a5: set_encryptedPassword 0x583b5:$a7: get_logins 0x78fe5:$a7: get_logins 0x99a05:$a7: get_logins 0x58318:$a10: KeyLoggerEventArgs 0x78f48:$a10: KeyLoggerEventArgs 0x99968:$a10: KeyLoggerEventArgs
00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x5a6d0:$x1: $%SMTPDV$ 0x7b300:$x1: $%SMTPDV$ 0x9bd20:$x1: $%SMTPDV$ 0x5a736:$x2: $#TheHashHere%& 0x7b366:$x2: $#TheHashHere%& 0x9bd86:$x2: $#TheHashHere%& 0x5bd9f:$x3: %FTPDV$ 0x7c9cf:$x3: %FTPDV$ 0x9d3ef:$x3: %FTPDV$ 0x5be93:$x4: $%TelegramDv$ 0x7cac3:$x4: $%TelegramDv$ 0x9d4e3:$x4: $%TelegramDv$ 0x57f83:$x5: KeyLoggerEventArgs 0x58318:$x5: KeyLoggerEventArgs 0x78bb3:$x5: KeyLoggerEventArgs 0x78f48:$x5: KeyLoggerEventArgs 0x995d3:$x5: KeyLoggerEventArgs 0x99968:$x5: KeyLoggerEventArgs 0x5bdc3:$m2: Clipboard Logs ID 0x5bfe3:$m2: Screenshot Logs ID 0x5c0f3:$m2: keystroke Logs ID
00000001.00000002.4156338198.0000000003351000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Order Details.exe PID: 2032	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Order Details.exe PID: 2032	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Order Details.exe PID: 2032	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Order Details.exe PID: 2032	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x62231:$a1: get_encryptedPassword 0x62513:$a2: get_encryptedUsername 0x62047:$a3: get_timePasswordChanged 0x62142:$a4: get_passwordField 0x62247:$a5: set_encryptedPassword 0x6471d:$a7: get_logins 0x64680:$a10: KeyLoggerEventArgs 0x642eb:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Order Details.exe PID: 2032	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x642eb:$x5: KeyLoggerEventArgs 0x64680:$x5: KeyLoggerEventArgs 0x64f87:$x5: KeyLoggerEventArgs 0x652e8:$x5: KeyLoggerEventArgs 0x66905:$m2: Clipboard Logs ID 0x669fc:$m2: Screenshot Logs ID 0x66a52:$m2: keystroke Logs ID 0x66b87:$m3: SnakePW 0x669e8:$m4: \SnakeKeylogger\
Process Memory Space: Order Details.exe PID: 908	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Order Details.exe PID: 908	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Order Details.exe PID: 908	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b7e:$a1: get_encryptedPassword 0x2e60:$a2: get_encryptedUsername 0x2994:$a3: get_timePasswordChanged 0x2a8f:$a4: get_passwordField 0x2b94:$a5: set_encryptedPassword 0x506a:$a7: get_logins 0x4fcd:$a10: KeyLoggerEventArgs 0x4c38:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Order Details.exe PID: 908	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x4c38:$x5: KeyLoggerEventArgs 0x4fcd:$x5: KeyLoggerEventArgs 0x58d4:$x5: KeyLoggerEventArgs 0x5c35:$x5: KeyLoggerEventArgs 0x7252:$m2: Clipboard Logs ID 0x7349:$m2: Screenshot Logs ID 0x739f:$m2: keystroke Logs ID 0x74d4:$m3: SnakePW 0x7335:$m4: \SnakeKeylogger\
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Order Details.exe.4ff0000.5.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4906b:$x1: In$J$ct0r
0.2.Order Details.exe.4ff0000.5.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
0.2.Order Details.exe.3933f90.2.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4906b:$x1: In$J$ct0r
0.2.Order Details.exe.3933f90.2.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
0.2.Order Details.exe.39e8e20.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Order Details.exe.39e8e20.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Order Details.exe.39e8e20.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d4c:$a1: get_encryptedPassword 0x13038:$a2: get_encryptedUsername 0x12b58:$a3: get_timePasswordChanged 0x12c53:$a4: get_passwordField 0x12d62:$a5: set_encryptedPassword 0x143c5:$a7: get_logins 0x14328:$a10: KeyLoggerEventArgs 0x13f93:$a11: KeyLoggerEventArgsEventHandler
0.2.Order Details.exe.39e8e20.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a7ad:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x199df:$a3: \Google\Chrome\User Data\Default\Login Data 0x19e12:$a4: \Orbitum\User Data\Default\Login Data 0x1ae51:$a5: \Kometa\User Data\Default\Login Data
0.2.Order Details.exe.39e8e20.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1391a:$s1: UnHook 0x13921:$s2: SetHook 0x13929:$s3: CallNextHook 0x13936:$s4: _hook
0.2.Order Details.exe.39e8e20.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x166e0:$x1: $%SMTPDV$ 0x16746:$x2: $#TheHashHere%& 0x17daf:$x3: %FTPDV$ 0x17ea3:$x4: $%TelegramDv$ 0x13f93:$x5: KeyLoggerEventArgs 0x14328:$x5: KeyLoggerEventArgs 0x17dd3:$m2: Clipboard Logs ID 0x17ff3:$m2: Screenshot Logs ID 0x18103:$m2: keystroke Logs ID 0x183dd:$m3: SnakePW 0x17fcb:$m4: \SnakeKeylogger\
0.2.Order Details.exe.39c81f0.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Order Details.exe.39c81f0.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Order Details.exe.39c81f0.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d4c:$a1: get_encryptedPassword 0x13038:$a2: get_encryptedUsername 0x12b58:$a3: get_timePasswordChanged 0x12c53:$a4: get_passwordField 0x12d62:$a5: set_encryptedPassword 0x143c5:$a7: get_logins 0x14328:$a10: KeyLoggerEventArgs 0x13f93:$a11: KeyLoggerEventArgsEventHandler
0.2.Order Details.exe.39c81f0.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a7ad:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x199df:$a3: \Google\Chrome\User Data\Default\Login Data 0x19e12:$a4: \Orbitum\User Data\Default\Login Data 0x1ae51:$a5: \Kometa\User Data\Default\Login Data
0.2.Order Details.exe.39c81f0.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1391a:$s1: UnHook 0x13921:$s2: SetHook 0x13929:$s3: CallNextHook 0x13936:$s4: _hook
0.2.Order Details.exe.39c81f0.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x166e0:$x1: $%SMTPDV$ 0x16746:$x2: $#TheHashHere%& 0x17daf:$x3: %FTPDV$ 0x17ea3:$x4: $%TelegramDv$ 0x13f93:$x5: KeyLoggerEventArgs 0x14328:$x5: KeyLoggerEventArgs 0x17dd3:$m2: Clipboard Logs ID 0x17ff3:$m2: Screenshot Logs ID 0x18103:$m2: keystroke Logs ID 0x183dd:$m3: SnakePW 0x17fcb:$m4: \SnakeKeylogger\
1.2.Order Details.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.Order Details.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.Order Details.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.Order Details.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b4c:$a1: get_encryptedPassword 0x14e38:$a2: get_encryptedUsername 0x14958:$a3: get_timePasswordChanged 0x14a53:$a4: get_passwordField 0x14b62:$a5: set_encryptedPassword 0x161c5:$a7: get_logins 0x16128:$a10: KeyLoggerEventArgs 0x15d93:$a11: KeyLoggerEventArgsEventHandler
1.2.Order Details.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5ad:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7df:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc12:$a4: \Orbitum\User Data\Default\Login Data 0x1cc51:$a5: \Kometa\User Data\Default\Login Data
1.2.Order Details.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1571a:$s1: UnHook 0x15721:$s2: SetHook 0x15729:$s3: CallNextHook 0x15736:$s4: _hook
1.2.Order Details.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x184e0:$x1: $%SMTPDV$ 0x18546:$x2: $#TheHashHere%& 0x19baf:$x3: %FTPDV$ 0x19ca3:$x4: $%TelegramDv$ 0x15d93:$x5: KeyLoggerEventArgs 0x16128:$x5: KeyLoggerEventArgs 0x19bd3:$m2: Clipboard Logs ID 0x19df3:$m2: Screenshot Logs ID 0x19f03:$m2: keystroke Logs ID 0x1a1dd:$m3: SnakePW 0x19dcb:$m4: \SnakeKeylogger\
0.2.Order Details.exe.39e8e20.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Order Details.exe.39e8e20.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Order Details.exe.39e8e20.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Order Details.exe.39e8e20.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b4c:$a1: get_encryptedPassword 0x3556c:$a1: get_encryptedPassword 0x14e38:$a2: get_encryptedUsername 0x35858:$a2: get_encryptedUsername 0x14958:$a3: get_timePasswordChanged 0x35378:$a3: get_timePasswordChanged 0x14a53:$a4: get_passwordField 0x35473:$a4: get_passwordField 0x14b62:$a5: set_encryptedPassword 0x35582:$a5: set_encryptedPassword 0x161c5:$a7: get_logins 0x36be5:$a7: get_logins 0x16128:$a10: KeyLoggerEventArgs 0x36b48:$a10: KeyLoggerEventArgs 0x15d93:$a11: KeyLoggerEventArgsEventHandler 0x367b3:$a11: KeyLoggerEventArgsEventHandler
0.2.Order Details.exe.39e8e20.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5ad:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cfcd:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7df:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c1ff:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc12:$a4: \Orbitum\User Data\Default\Login Data 0x3c632:$a4: \Orbitum\User Data\Default\Login Data 0x1cc51:$a5: \Kometa\User Data\Default\Login Data 0x3d671:$a5: \Kometa\User Data\Default\Login Data
0.2.Order Details.exe.39e8e20.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1571a:$s1: UnHook 0x3613a:$s1: UnHook 0x15721:$s2: SetHook 0x36141:$s2: SetHook 0x15729:$s3: CallNextHook 0x36149:$s3: CallNextHook 0x15736:$s4: _hook 0x36156:$s4: _hook
0.2.Order Details.exe.39e8e20.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x184e0:$x1: $%SMTPDV$ 0x38f00:$x1: $%SMTPDV$ 0x18546:$x2: $#TheHashHere%& 0x38f66:$x2: $#TheHashHere%& 0x19baf:$x3: %FTPDV$ 0x3a5cf:$x3: %FTPDV$ 0x19ca3:$x4: $%TelegramDv$ 0x3a6c3:$x4: $%TelegramDv$ 0x15d93:$x5: KeyLoggerEventArgs 0x16128:$x5: KeyLoggerEventArgs 0x367b3:$x5: KeyLoggerEventArgs 0x36b48:$x5: KeyLoggerEventArgs 0x19bd3:$m2: Clipboard Logs ID 0x19df3:$m2: Screenshot Logs ID 0x19f03:$m2: keystroke Logs ID 0x3a5f3:$m2: Clipboard Logs ID 0x3a813:$m2: Screenshot Logs ID 0x3a923:$m2: keystroke Logs ID 0x1a1dd:$m3: SnakePW 0x3abfd:$m3: SnakePW 0x19dcb:$m4: \SnakeKeylogger\
0.2.Order Details.exe.39c81f0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Order Details.exe.39c81f0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Order Details.exe.39c81f0.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Order Details.exe.39c81f0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b4c:$a1: get_encryptedPassword 0x3577c:$a1: get_encryptedPassword 0x5619c:$a1: get_encryptedPassword 0x14e38:$a2: get_encryptedUsername 0x35a68:$a2: get_encryptedUsername 0x56488:$a2: get_encryptedUsername 0x14958:$a3: get_timePasswordChanged 0x35588:$a3: get_timePasswordChanged 0x55fa8:$a3: get_timePasswordChanged 0x14a53:$a4: get_passwordField 0x35683:$a4: get_passwordField 0x560a3:$a4: get_passwordField 0x14b62:$a5: set_encryptedPassword 0x35792:$a5: set_encryptedPassword 0x561b2:$a5: set_encryptedPassword 0x161c5:$a7: get_logins 0x36df5:$a7: get_logins 0x57815:$a7: get_logins 0x16128:$a10: KeyLoggerEventArgs 0x36d58:$a10: KeyLoggerEventArgs 0x57778:$a10: KeyLoggerEventArgs
0.2.Order Details.exe.39c81f0.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5ad:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d1dd:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5dbfd:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7df:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c40f:$a3: \Google\Chrome\User Data\Default\Login Data 0x5ce2f:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc12:$a4: \Orbitum\User Data\Default\Login Data 0x3c842:$a4: \Orbitum\User Data\Default\Login Data 0x5d262:$a4: \Orbitum\User Data\Default\Login Data 0x1cc51:$a5: \Kometa\User Data\Default\Login Data 0x3d881:$a5: \Kometa\User Data\Default\Login Data 0x5e2a1:$a5: \Kometa\User Data\Default\Login Data
0.2.Order Details.exe.39c81f0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1571a:$s1: UnHook 0x3634a:$s1: UnHook 0x56d6a:$s1: UnHook 0x15721:$s2: SetHook 0x36351:$s2: SetHook 0x56d71:$s2: SetHook 0x15729:$s3: CallNextHook 0x36359:$s3: CallNextHook 0x56d79:$s3: CallNextHook 0x15736:$s4: _hook 0x36366:$s4: _hook 0x56d86:$s4: _hook
0.2.Order Details.exe.39c81f0.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x184e0:$x1: $%SMTPDV$ 0x39110:$x1: $%SMTPDV$ 0x59b30:$x1: $%SMTPDV$ 0x18546:$x2: $#TheHashHere%& 0x39176:$x2: $#TheHashHere%& 0x59b96:$x2: $#TheHashHere%& 0x19baf:$x3: %FTPDV$ 0x3a7df:$x3: %FTPDV$ 0x5b1ff:$x3: %FTPDV$ 0x19ca3:$x4: $%TelegramDv$ 0x3a8d3:$x4: $%TelegramDv$ 0x5b2f3:$x4: $%TelegramDv$ 0x15d93:$x5: KeyLoggerEventArgs 0x16128:$x5: KeyLoggerEventArgs 0x369c3:$x5: KeyLoggerEventArgs 0x36d58:$x5: KeyLoggerEventArgs 0x573e3:$x5: KeyLoggerEventArgs 0x57778:$x5: KeyLoggerEventArgs 0x19bd3:$m2: Clipboard Logs ID 0x19df3:$m2: Screenshot Logs ID 0x19f03:$m2: keystroke Logs ID
0.2.Order Details.exe.28ef718.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xcc0e8:$x1: In$J$ct0r 0xcddbc:$a1: WriteProcessMemory 0xcde48:$a1: WriteProcessMemory 0xcdf1c:$a4: VirtualAllocEx 0xce140:$a4: VirtualAllocEx 0xce1c0:$a4: VirtualAllocEx 0x10cf0:$s3: net.pipe 0xcc398:$s3: net.pipe 0xcc3b8:$s4: vsmacros
0.2.Order Details.exe.28f1f58.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xc98a8:$x1: In$J$ct0r 0xcb57c:$a1: WriteProcessMemory 0xcb608:$a1: WriteProcessMemory 0xcb6dc:$a4: VirtualAllocEx 0xcb900:$a4: VirtualAllocEx 0xcb980:$a4: VirtualAllocEx 0xe4b0:$s3: net.pipe 0xc9b58:$s3: net.pipe 0xc9b78:$s4: vsmacros
Click to see the 34 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T02:24:02.848711+0100	2803305	3	Unknown Traffic	192.168.2.4	49732	104.21.32.1	443	TCP
2025-01-16T02:24:06.855237+0100	2803305	3	Unknown Traffic	192.168.2.4	49738	104.21.32.1	443	TCP
2025-01-16T02:24:08.097022+0100	2803305	3	Unknown Traffic	192.168.2.4	49740	104.21.32.1	443	TCP
2025-01-16T02:24:09.347621+0100	2803305	3	Unknown Traffic	192.168.2.4	49742	104.21.32.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T02:24:00.739904+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	193.122.6.168	80	TCP
2025-01-16T02:24:02.255513+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	193.122.6.168	80	TCP
2025-01-16T02:24:03.536813+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49733	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Order Details.exe

Avira: detected

Found malware configuration

Source: 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "frankichong@yulifertilizer.com.my", "Password": "Ayfc931319*", "Host": "yulifertilizer.com.my", "Port": "25", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: Order Details.exe	Virustotal: Detection: 50%			Perma Link
Source: Order Details.exe	ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Order Details.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Order Details.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49731 version: TLS 1.0

Source: Order Details.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: Order Details.exe, 00000000.00000002.1680271362.00000000050D0000.00000004.08000000.00040000.00000000.sdmp, Order Details.exe, 00000000.00000002.1678634520.00000000028E1000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 019AF1F6h	1_2_019AF007
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 019AFB80h	1_2_019AF007
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_019AE528
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_019AEB5B
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_019AED3C
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDCD49h	1_2_05EDCAA0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDC499h	1_2_05EDC1F0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05ED1471h	1_2_05ED11C0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDF461h	1_2_05EDF1B8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDC041h	1_2_05EDBD98
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05ED1A38h	1_2_05ED1966
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05ED1011h	1_2_05ED0D60
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDF009h	1_2_05EDED60
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDBBE9h	1_2_05EDB940
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDEBB1h	1_2_05EDE908
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05ED0BB1h	1_2_05ED0900
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDB791h	1_2_05EDB4E8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05ED0751h	1_2_05ED04A0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDE759h	1_2_05EDE4B0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05ED02F1h	1_2_05ED0040
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDE301h	1_2_05EDE058
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDDEA9h	1_2_05EDDC00
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDDA51h	1_2_05EDD7A8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDD5F9h	1_2_05EDD350
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDD1A1h	1_2_05EDCEF8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDFD11h	1_2_05EDFA68
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDC8F1h	1_2_05EDC648
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05ED1A38h	1_2_05ED1620
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 05EDF8B9h	1_2_05EDF610
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB8945h	1_2_06FB8608
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB6171h	1_2_06FB5EC8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_06FB36CE
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB5D19h	1_2_06FB5A70
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB58C1h	1_2_06FB5618
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB6E79h	1_2_06FB6BD0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_06FB33B8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_06FB33A8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB6A21h	1_2_06FB6778
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB65C9h	1_2_06FB6320
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB0B99h	1_2_06FB08F0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB7751h	1_2_06FB74A8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB0741h	1_2_06FB0498
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB72FAh	1_2_06FB7050
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB02E9h	1_2_06FB0040
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB8459h	1_2_06FB81B0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB5441h	1_2_06FB5198
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB8001h	1_2_06FB7D58
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB0FF1h	1_2_06FB0D48
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 4x nop then jmp 06FB7BA9h	1_2_06FB7900

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49740 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49738 -> 104.21.32.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49731 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: Order Details.exe, 00000001.00000002.4156338198.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003416000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000350E000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034B6000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Order Details.exe, 00000001.00000002.4156338198.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003416000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000350E000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034B6000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003459000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000340A000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Order Details.exe, 00000001.00000002.4156338198.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Order Details.exe, 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Order Details.exe, 00000001.00000002.4156338198.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000350E000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000342E000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034B6000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Order Details.exe, 00000001.00000002.4156338198.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Order Details.exe, 00000001.00000002.4156338198.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003416000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000350E000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034B6000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003459000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Order Details.exe, 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003416000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Order Details.exe, 00000001.00000002.4156338198.00000000034D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: Order Details.exe, 00000001.00000002.4156338198.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000350E000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034B6000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003459000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Order Details.exe.4ff0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Order Details.exe.4ff0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Order Details.exe.3933f90.2.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Order Details.exe.3933f90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Order Details.exe.39e8e20.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Order Details.exe.39e8e20.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Order Details.exe.39e8e20.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Order Details.exe.39e8e20.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Order Details.exe.39c81f0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Order Details.exe.39c81f0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Order Details.exe.39c81f0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Order Details.exe.39c81f0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Order Details.exe.28ef718.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Order Details.exe.28f1f58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1679581061.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Order Details.exe PID: 2032, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Order Details.exe PID: 2032, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Order Details.exe PID: 908, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Order Details.exe PID: 908, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Order Details.exe

Source: C:\Users\user\Desktop\Order Details.exe	Code function: 0_2_027BAE48	0_2_027BAE48
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 0_2_027B3118	0_2_027B3118
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019AC190	1_2_019AC190
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019A6108	1_2_019A6108
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019AF007	1_2_019AF007
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019AB328	1_2_019AB328
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019AC470	1_2_019AC470
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019A6730	1_2_019A6730
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019AC753	1_2_019AC753
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019A9858	1_2_019A9858
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019ABBD3	1_2_019ABBD3
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019A4AD9	1_2_019A4AD9
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019ACA33	1_2_019ACA33
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019ABEB0	1_2_019ABEB0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019AE517	1_2_019AE517
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019AE528	1_2_019AE528
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019A3573	1_2_019A3573
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_019AB4F3	1_2_019AB4F3
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED7D90	1_2_05ED7D90
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED8460	1_2_05ED8460
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED3870	1_2_05ED3870
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDCAA0	1_2_05EDCAA0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDC1E0	1_2_05EDC1E0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDC1F0	1_2_05EDC1F0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED11C0	1_2_05ED11C0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDF1A9	1_2_05EDF1A9
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDF1B8	1_2_05EDF1B8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED11B0	1_2_05ED11B0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDBD88	1_2_05EDBD88
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDBD98	1_2_05EDBD98
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED0D60	1_2_05ED0D60
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDED60	1_2_05EDED60
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDB940	1_2_05EDB940
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED0D51	1_2_05ED0D51
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDED50	1_2_05EDED50
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDB930	1_2_05EDB930
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDE908	1_2_05EDE908
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED0900	1_2_05ED0900
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDB4E8	1_2_05EDB4E8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDE8F8	1_2_05EDE8F8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED08F0	1_2_05ED08F0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDB4D7	1_2_05EDB4D7
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED04A0	1_2_05ED04A0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDE4A0	1_2_05EDE4A0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDE4B0	1_2_05EDE4B0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED0490	1_2_05ED0490
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED3860	1_2_05ED3860
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDE049	1_2_05EDE049
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED0040	1_2_05ED0040
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDE058	1_2_05EDE058
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED0006	1_2_05ED0006
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDDC00	1_2_05EDDC00
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED73E8	1_2_05ED73E8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDDBF1	1_2_05EDDBF1
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED73D8	1_2_05ED73D8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDD7A8	1_2_05EDD7A8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDD798	1_2_05EDD798
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDD340	1_2_05EDD340
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDD350	1_2_05EDD350
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDCEE9	1_2_05EDCEE9
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDCEF8	1_2_05EDCEF8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDCA90	1_2_05EDCA90
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDFA68	1_2_05EDFA68
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDC648	1_2_05EDC648
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDFA59	1_2_05EDFA59
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDC638	1_2_05EDC638
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDF600	1_2_05EDF600
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05EDF610	1_2_05EDF610
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBB6E8	1_2_06FBB6E8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBD670	1_2_06FBD670
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBAA58	1_2_06FBAA58
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB8608	1_2_06FB8608
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBC388	1_2_06FBC388
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBB0A0	1_2_06FBB0A0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB8C51	1_2_06FB8C51
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBD028	1_2_06FBD028
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBA408	1_2_06FBA408
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBC9D8	1_2_06FBC9D8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB11A0	1_2_06FB11A0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBBD38	1_2_06FBBD38
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBB6D9	1_2_06FBB6D9
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB5EC8	1_2_06FB5EC8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB5EB8	1_2_06FB5EB8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB5A70	1_2_06FB5A70
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBD661	1_2_06FBD661
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB5A60	1_2_06FB5A60
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBAA52	1_2_06FBAA52
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB5618	1_2_06FB5618
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB5609	1_2_06FB5609
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB8602	1_2_06FB8602
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBA3F8	1_2_06FBA3F8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB6BD0	1_2_06FB6BD0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB6BC1	1_2_06FB6BC1
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB33B8	1_2_06FB33B8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB33A8	1_2_06FB33A8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB6778	1_2_06FB6778
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBC378	1_2_06FBC378
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB676A	1_2_06FB676A
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB3730	1_2_06FB3730
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB6320	1_2_06FB6320
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB6311	1_2_06FB6311
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB78F0	1_2_06FB78F0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB08F0	1_2_06FB08F0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB08E0	1_2_06FB08E0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB74A8	1_2_06FB74A8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB0498	1_2_06FB0498
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB7497	1_2_06FB7497
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB0488	1_2_06FB0488
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBB08F	1_2_06FBB08F
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB7050	1_2_06FB7050
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB7049	1_2_06FB7049
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB0040	1_2_06FB0040
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB4430	1_2_06FB4430
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB2818	1_2_06FB2818
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBD018	1_2_06FBD018
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB2807	1_2_06FB2807
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB0006	1_2_06FB0006
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBC9C8	1_2_06FBC9C8
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB81B0	1_2_06FB81B0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB81A0	1_2_06FB81A0
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB5198	1_2_06FB5198
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB1191	1_2_06FB1191
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB518A	1_2_06FB518A
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB7D58	1_2_06FB7D58
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB0D48	1_2_06FB0D48
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB7D48	1_2_06FB7D48
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB0D39	1_2_06FB0D39
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FBBD28	1_2_06FBBD28
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_06FB7900	1_2_06FB7900

Source: Order Details.exe, 00000000.00000002.1678770489.00000000038E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Order Details.exe
Source: Order Details.exe, 00000000.00000002.1680271362.00000000050D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Order Details.exe
Source: Order Details.exe, 00000000.00000002.1679581061.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Order Details.exe
Source: Order Details.exe, 00000000.00000002.1678634520.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Order Details.exe
Source: Order Details.exe, 00000000.00000002.1678634520.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Order Details.exe
Source: Order Details.exe, 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Order Details.exe
Source: Order Details.exe, 00000000.00000000.1673230829.0000000000592000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBladeNoPa.exe4 vs Order Details.exe
Source: Order Details.exe, 00000000.00000002.1678087390.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Order Details.exe
Source: Order Details.exe, 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Order Details.exe
Source: Order Details.exe, 00000001.00000002.4155467566.0000000001377000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Order Details.exe
Source: Order Details.exe	Binary or memory string: OriginalFilenameBladeNoPa.exe4 vs Order Details.exe

Source: Order Details.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Order Details.exe.4ff0000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Order Details.exe.4ff0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Order Details.exe.3933f90.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Order Details.exe.3933f90.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Order Details.exe.39e8e20.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Order Details.exe.39e8e20.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Order Details.exe.39e8e20.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Order Details.exe.39e8e20.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Order Details.exe.39c81f0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Order Details.exe.39c81f0.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Order Details.exe.39c81f0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Order Details.exe.39c81f0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Order Details.exe.28ef718.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Order Details.exe.28f1f58.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1679581061.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Order Details.exe PID: 2032, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Order Details.exe PID: 2032, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Order Details.exe PID: 908, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Order Details.exe PID: 908, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\Order Details.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order Details.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe

Mutant created: NULL

Source: Order Details.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Order Details.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Order Details.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Order Details.exe, 00000001.00000002.4156338198.00000000035A8000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000358A000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000359A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Order Details.exe	Virustotal: Detection: 50%
Source: Order Details.exe	ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\Order Details.exe "C:\Users\user\Desktop\Order Details.exe"
Source: C:\Users\user\Desktop\Order Details.exe	Process created: C:\Users\user\Desktop\Order Details.exe "C:\Users\user\Desktop\Order Details.exe"
Source: C:\Users\user\Desktop\Order Details.exe	Process created: C:\Users\user\Desktop\Order Details.exe "C:\Users\user\Desktop\Order Details.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Order Details.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Order Details.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: Order Details.exe

Static PE information: 0xDA00EF84 [Sun Nov 25 02:40:04 2085 UTC]

Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED2990 push esp; retf		1_2_05ED2AC9
Source: C:\Users\user\Desktop\Order Details.exe	Code function: 1_2_05ED2E60 push esp; iretd		1_2_05ED2E79

Source: Order Details.exe

Static PE information: section name: .text entropy: 7.213000127966721

Source: C:\Users\user\Desktop\Order Details.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Order Details.exe PID: 2032, type: MEMORYSTR

Source: C:\Users\user\Desktop\Order Details.exe	Memory allocated: 2740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Memory allocated: 28E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Memory allocated: 48E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Memory allocated: 1960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Memory allocated: 3350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Memory allocated: 3170000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597943	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597698	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597213	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594966	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594857	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594717	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594266	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594157	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594032	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 593907	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 593797	Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe	Window / User API: threadDelayed 8474			Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Window / User API: threadDelayed 1346			Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe TID: 3584	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 1908	Thread sleep count: 8474 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 1908	Thread sleep count: 1346 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -599282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -599172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -598454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -598329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -598204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -598079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -597943s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -597698s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -597563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -597454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -597329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -597213s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -594966s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -594857s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -594717s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -594500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -594391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -594266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -594157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -594032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -593907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe TID: 2200	Thread sleep time: -593797s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597943	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597698	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597213	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594966	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594857	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594717	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594266	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594157	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 594032	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 593907	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Thread delayed: delay time: 593797	Jump to behavior

Source: Order Details.exe, 00000001.00000002.4155927278.0000000001726000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS

Source: C:\Users\user\Desktop\Order Details.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe

Code function: 1_2_05ED7D90 LdrInitializeThunk,

1_2_05ED7D90

Source: C:\Users\user\Desktop\Order Details.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Order Details.exe

Memory written: C:\Users\user\Desktop\Order Details.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe

Process created: C:\Users\user\Desktop\Order Details.exe "C:\Users\user\Desktop\Order Details.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Users\user\Desktop\Order Details.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Users\user\Desktop\Order Details.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Order Details.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Order Details.exe.39e8e20.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order Details.exe.39c81f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156338198.000000000351C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156338198.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order Details.exe PID: 2032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Order Details.exe PID: 908, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Order Details.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Order Details.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Order Details.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.Order Details.exe.39e8e20.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order Details.exe.39c81f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order Details.exe PID: 2032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Order Details.exe PID: 908, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Order Details.exe.39e8e20.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order Details.exe.39c81f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Order Details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order Details.exe.39e8e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order Details.exe.39c81f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156338198.000000000351C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4156338198.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order Details.exe PID: 2032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Order Details.exe PID: 908, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Order Details.exe	51%	Virustotal		Browse
Order Details.exe	39%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
Order Details.exe	100%	Avira	HEUR/AGEN.1311171
Order Details.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.32.1	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	Order Details.exe, 00000001.00000002.4156338198.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003416000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000350E000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034B6000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003459000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	Order Details.exe, 00000001.00000002.4156338198.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003416000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000350E000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034B6000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003459000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000340A000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	Order Details.exe, 00000001.00000002.4156338198.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003416000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000350E000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034B6000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Order Details.exe, 00000001.00000002.4156338198.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	Order Details.exe, 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	Order Details.exe, 00000001.00000002.4156338198.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000350E000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034B6000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003459000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	Order Details.exe, 00000001.00000002.4156338198.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000350E000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.000000000342E000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034B6000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.00000000034D2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	Order Details.exe, 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Order Details.exe, 00000001.00000002.4156338198.0000000003416000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.32.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592377
Start date and time:	2025-01-16 02:23:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Order Details.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 121 Number of non-executed functions: 49
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:24:01	API Interceptor	12531463x Sleep call for process: Order Details.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.32.1	New order BPD-003777.exe	Get hash	malicious	FormBook	Browse	www.cikolatasampuan.xyz/sbv2/
	DOCU800147001.exe	Get hash	malicious	GuLoader	Browse	b2csa.icu/PL341/index.php
	24010-KAPSON.exe	Get hash	malicious	Azorult, GuLoader	Browse	b2csa.icu/PL341/index.php
	bIcqeSVPW6.exe	Get hash	malicious	FormBook	Browse	www.rafconstrutora.online/sa6l/
	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	www.aziziyeescortg.xyz/2pcx/
	25IvlOVEB1.exe	Get hash	malicious	FormBook	Browse	www.masterqq.pro/3vdc/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	redroomaudio.com/administrator/index.php
193.122.6.168	Contrarre.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	NEWORDER.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	PO#_1100015533.scr	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	1nl3hc.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	Contrarre.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	RFQ_AS0101402025.22025_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
checkip.dyndns.com	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	NEWORDER.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	PO#_1100015533.scr	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	1nl3hc.ps1	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	Contrarre.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	RFQ_AS0101402025.22025_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	Execute.ps1	Get hash	malicious	Metasploit	Browse	158.101.196.44
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	PO#_1100015533.scr	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	1nl3hc.ps1	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	Contrarre.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	RFQ_AS0101402025.22025_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	m68k.elf	Get hash	malicious	Unknown	Browse	193.122.239.186
CLOUDFLARENETUS	Subscription_Renewal_Invoice_2025_FGHDCS.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://yogalisbon.gitcz.pw/sign-in	Get hash	malicious	Unknown	Browse	104.21.112.1
	http://com-evaluate-fanpage30127.pages.dev/help/contact/671203900952887	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	http://docs-wltconnect.gitbook.io/us-en	Get hash	malicious	HTMLPhisher	Browse	172.64.147.209
	https://inhospitality.shop/	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://shorten.so/fVj82	Get hash	malicious	Porn Scam	Browse	104.21.54.29
	https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://hrpibzdeam.xyz/	Get hash	malicious	Unknown	Browse	172.67.196.118
	http://logincrypto-crypto.gitbook.io/us	Get hash	malicious	HTMLPhisher	Browse	172.64.147.209
	https://meta.supportlivefanpage.us/community-standard/28244/confirm	Get hash	malicious	Unknown	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	NEWORDER.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	1nl3hc.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	Contrarre.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	RFQ_AS0101402025.22025_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1

Process:	C:\Users\user\Desktop\Order Details.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	706
Entropy (8bit):	5.349842958726647
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M9XKbbDLI4MWuPJKAVKhat92n4M6:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84j
MD5:	9BA266AD16952A9A57C3693E0BCFED48
SHA1:	5DB70A3A7F1DB4E3879265AB336B2FA1AFBCECD5
SHA-256:	A6DFD14E82D7D47195A1EC7F31E64C2820AB8721EF4B5825E21E742093B55C0E
SHA-512:	678E1F639379FC24919B7CF562FA19CE53363CBD4B0EAB66486F6F8D5DD5958DE3AAE8D7842EE868EFCC39D907FDC1A3ACF464E29D37B0DAEE9874C39730FE8E
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.202602340768788
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Order Details.exe
File size:	591'360 bytes
MD5:	06c48ef3e45a7dafedbd596368918830
SHA1:	6ec2e82db6d702ddc0f4b302a4d8f02fd4c36c36
SHA256:	1e2333cb4fb3ecca06d22bb3b6255e5ac62b7ba43c3bceb8c17252657f34ba1e
SHA512:	075339ded9d2831723318812cc50ed50978548a1df7df82a57fb2cdab97a788e8ca220131fbdb24c1d5f456c089237a6561f05a01c71075352db060eec792088
SSDEEP:	12288:ZbRKjP7ne23gAcdtfD19UK/IBW+hb9LiRPXPgm:DKjP7e23gAcvfD1sW+Vo
TLSH:	7DC4BE9C2B9889F5D87645F29CF2545E7B78A90221F0E46420CB0EDDADDAF43099837F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x491bce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xDA00EF84 [Sun Nov 25 02:40:04 2085 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x91b80	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x92000	0x5a6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x94000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8fbd4	0x8fc00	33e25ca7c5528830a043e61fe47164c2	False	0.5194616168478261	data	7.213000127966721	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x92000	0x5a6	0x600	c474081526abd64245cfd3ae4521545e	False	0.4173177083333333	data	4.084105898819439	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x94000	0xc	0x200	48598e14c8fb96c5183ccca32e3b49d0	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x920a0	0x31c	data			0.4296482412060301
RT_MANIFEST	0x923bc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-16T02:24:00.739904+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	193.122.6.168	80	TCP
2025-01-16T02:24:02.255513+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	193.122.6.168	80	TCP
2025-01-16T02:24:02.848711+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49732	104.21.32.1	443	TCP
2025-01-16T02:24:03.536813+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49733	193.122.6.168	80	TCP
2025-01-16T02:24:06.855237+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49738	104.21.32.1	443	TCP
2025-01-16T02:24:08.097022+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49740	104.21.32.1	443	TCP
2025-01-16T02:24:09.347621+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49742	104.21.32.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 02:23:59.845639944 CET	49730	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:23:59.850481987 CET	80	49730	193.122.6.168	192.168.2.4
Jan 16, 2025 02:23:59.850619078 CET	49730	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:23:59.852308035 CET	49730	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:23:59.857140064 CET	80	49730	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:00.498305082 CET	80	49730	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:00.504251003 CET	49730	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:00.509315014 CET	80	49730	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:00.694583893 CET	80	49730	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:00.739903927 CET	49730	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:00.749083996 CET	49731	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:00.749171972 CET	443	49731	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:00.749631882 CET	49731	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:00.804876089 CET	49731	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:00.804955959 CET	443	49731	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:01.278129101 CET	443	49731	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:01.278356075 CET	49731	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:01.283165932 CET	49731	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:01.283221960 CET	443	49731	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:01.283581972 CET	443	49731	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:01.333765030 CET	49731	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:01.896434069 CET	49731	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:01.939408064 CET	443	49731	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:02.006443977 CET	443	49731	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:02.006591082 CET	443	49731	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:02.006769896 CET	49731	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:02.012423038 CET	49731	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:02.015245914 CET	49730	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:02.020207882 CET	80	49730	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:02.205658913 CET	80	49730	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:02.210061073 CET	49732	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:02.210103989 CET	443	49732	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:02.210304976 CET	49732	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:02.210602999 CET	49732	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:02.210635900 CET	443	49732	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:02.255512953 CET	49730	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:02.700874090 CET	443	49732	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:02.702832937 CET	49732	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:02.702914953 CET	443	49732	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:02.848818064 CET	443	49732	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:02.848972082 CET	443	49732	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:02.849184990 CET	49732	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:02.849587917 CET	49732	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:02.852876902 CET	49730	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:02.854196072 CET	49733	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:02.858442068 CET	80	49730	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:02.858640909 CET	49730	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:02.859606028 CET	80	49733	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:02.859786034 CET	49733	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:02.859786987 CET	49733	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:02.865122080 CET	80	49733	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:03.486785889 CET	80	49733	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:03.487869978 CET	49734	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:03.487914085 CET	443	49734	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:03.487991095 CET	49734	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:03.488224983 CET	49734	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:03.488238096 CET	443	49734	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:03.536813021 CET	49733	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:03.967657089 CET	443	49734	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:03.969508886 CET	49734	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:03.969584942 CET	443	49734	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:04.116931915 CET	443	49734	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:04.117074013 CET	443	49734	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:04.117192030 CET	49734	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:04.117546082 CET	49734	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:04.120826960 CET	49735	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:04.125796080 CET	80	49735	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:04.126038074 CET	49735	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:04.126038074 CET	49735	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:04.131033897 CET	80	49735	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:04.770755053 CET	80	49735	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:04.772172928 CET	49736	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:04.772269011 CET	443	49736	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:04.772355080 CET	49736	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:04.772654057 CET	49736	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:04.772675037 CET	443	49736	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:04.818172932 CET	49735	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:05.232516050 CET	443	49736	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:05.233975887 CET	49736	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:05.234070063 CET	443	49736	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:05.367386103 CET	443	49736	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:05.367530107 CET	443	49736	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:05.367702007 CET	49736	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:05.367899895 CET	49736	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:05.371675968 CET	49735	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:05.372214079 CET	49737	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:05.377260923 CET	80	49735	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:05.377440929 CET	80	49737	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:05.377444029 CET	49735	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:05.377522945 CET	49737	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:05.377589941 CET	49737	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:05.382911921 CET	80	49737	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:06.005024910 CET	80	49737	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:06.017859936 CET	49738	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:06.017967939 CET	443	49738	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:06.018044949 CET	49738	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:06.018255949 CET	49738	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:06.018276930 CET	443	49738	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:06.052531004 CET	49737	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:06.660830975 CET	443	49738	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:06.662334919 CET	49738	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:06.662415981 CET	443	49738	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:06.855379105 CET	443	49738	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:06.855539083 CET	443	49738	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:06.855707884 CET	49738	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:06.855834961 CET	49738	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:06.858599901 CET	49737	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:06.859096050 CET	49739	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:06.863949060 CET	80	49737	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:06.864034891 CET	80	49739	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:06.864058971 CET	49737	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:06.864098072 CET	49739	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:06.864165068 CET	49739	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:06.869098902 CET	80	49739	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:07.496551037 CET	80	49739	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:07.501498938 CET	49740	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:07.501589060 CET	443	49740	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:07.501692057 CET	49740	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:07.502232075 CET	49740	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:07.502314091 CET	443	49740	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:07.540946007 CET	49739	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:07.961690903 CET	443	49740	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:07.963654041 CET	49740	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:07.963740110 CET	443	49740	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:08.097086906 CET	443	49740	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:08.097229958 CET	443	49740	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:08.097470999 CET	49740	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:08.097588062 CET	49740	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:08.100622892 CET	49739	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:08.101541042 CET	49741	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:08.105670929 CET	80	49739	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:08.105734110 CET	49739	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:08.106492043 CET	80	49741	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:08.106698036 CET	49741	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:08.106698990 CET	49741	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:08.111675024 CET	80	49741	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:08.742722988 CET	80	49741	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:08.752826929 CET	49742	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:08.752921104 CET	443	49742	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:08.753012896 CET	49742	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:08.753458977 CET	49742	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:08.753540039 CET	443	49742	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:08.786935091 CET	49741	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:09.210362911 CET	443	49742	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:09.212102890 CET	49742	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:09.212188005 CET	443	49742	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:09.347718000 CET	443	49742	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:09.347877979 CET	443	49742	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:09.348022938 CET	49742	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:09.348263979 CET	49742	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:09.351396084 CET	49741	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:09.352579117 CET	49743	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:09.356555939 CET	80	49741	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:09.356724977 CET	49741	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:09.357469082 CET	80	49743	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:09.357692003 CET	49743	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:09.357692003 CET	49743	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:09.362723112 CET	80	49743	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:10.062796116 CET	80	49743	193.122.6.168	192.168.2.4
Jan 16, 2025 02:24:10.097768068 CET	49744	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:10.097820997 CET	443	49744	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:10.098043919 CET	49744	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:10.098232031 CET	49744	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:10.098249912 CET	443	49744	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:10.115083933 CET	49743	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:24:10.558015108 CET	443	49744	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:10.559623003 CET	49744	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:10.559675932 CET	443	49744	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:10.686152935 CET	443	49744	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:10.686305046 CET	443	49744	104.21.32.1	192.168.2.4
Jan 16, 2025 02:24:10.686469078 CET	49744	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:24:10.686784983 CET	49744	443	192.168.2.4	104.21.32.1
Jan 16, 2025 02:25:08.579365015 CET	80	49733	193.122.6.168	192.168.2.4
Jan 16, 2025 02:25:08.582257032 CET	49733	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:25:15.068242073 CET	80	49743	193.122.6.168	192.168.2.4
Jan 16, 2025 02:25:15.068310976 CET	49743	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:25:50.069111109 CET	49743	80	192.168.2.4	193.122.6.168
Jan 16, 2025 02:25:50.074033976 CET	80	49743	193.122.6.168	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 02:23:59.828330040 CET	59904	53	192.168.2.4	1.1.1.1
Jan 16, 2025 02:23:59.835450888 CET	53	59904	1.1.1.1	192.168.2.4
Jan 16, 2025 02:24:00.738914013 CET	59375	53	192.168.2.4	1.1.1.1
Jan 16, 2025 02:24:00.746440887 CET	53	59375	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 16, 2025 02:23:59.828330040 CET	192.168.2.4	1.1.1.1	0x2628	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:24:00.738914013 CET	192.168.2.4	1.1.1.1	0xb52a	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 16, 2025 02:23:59.835450888 CET	1.1.1.1	192.168.2.4	0x2628	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 02:23:59.835450888 CET	1.1.1.1	192.168.2.4	0x2628	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:23:59.835450888 CET	1.1.1.1	192.168.2.4	0x2628	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:23:59.835450888 CET	1.1.1.1	192.168.2.4	0x2628	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:23:59.835450888 CET	1.1.1.1	192.168.2.4	0x2628	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:23:59.835450888 CET	1.1.1.1	192.168.2.4	0x2628	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:24:00.746440887 CET	1.1.1.1	192.168.2.4	0xb52a	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:24:00.746440887 CET	1.1.1.1	192.168.2.4	0xb52a	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:24:00.746440887 CET	1.1.1.1	192.168.2.4	0xb52a	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:24:00.746440887 CET	1.1.1.1	192.168.2.4	0xb52a	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:24:00.746440887 CET	1.1.1.1	192.168.2.4	0xb52a	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:24:00.746440887 CET	1.1.1.1	192.168.2.4	0xb52a	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:24:00.746440887 CET	1.1.1.1	192.168.2.4	0xb52a	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	193.122.6.168	80	908	C:\Users\user\Desktop\Order Details.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 02:23:59.852308035 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 02:24:00.498305082 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:00 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 16, 2025 02:24:00.504251003 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 02:24:00.694583893 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:00 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 16, 2025 02:24:02.015245914 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 02:24:02.205658913 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:02 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	193.122.6.168	80	908	C:\Users\user\Desktop\Order Details.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 02:24:02.859786987 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 02:24:03.486785889 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49735	193.122.6.168	80	908	C:\Users\user\Desktop\Order Details.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 02:24:04.126038074 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 02:24:04.770755053 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:04 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49737	193.122.6.168	80	908	C:\Users\user\Desktop\Order Details.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 02:24:05.377589941 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 02:24:06.005024910 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49739	193.122.6.168	80	908	C:\Users\user\Desktop\Order Details.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 02:24:06.864165068 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 02:24:07.496551037 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	193.122.6.168	80	908	C:\Users\user\Desktop\Order Details.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 02:24:08.106698990 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 02:24:08.742722988 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:08 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	193.122.6.168	80	908	C:\Users\user\Desktop\Order Details.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 02:24:09.357692003 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 02:24:10.062796116 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	104.21.32.1	443	908	C:\Users\user\Desktop\Order Details.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 01:24:01 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 01:24:02 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:01 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2305431 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6xMMweAAUsN0ys1BjONflGPetqFVYJndlk5Nt%2BOsIi%2BOEM9BLIkA68LIGCQS9GPgrfSnyGUcUU5zWSKQyCEUUbN1TewmcbAAVnpYAa8VwRUV4JJufww4HZSW3hjQMlfvi4bDJCMQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902a4db829b91875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1512&min_rtt=1510&rtt_var=570&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1913499&cwnd=153&unsent_bytes=0&cid=2bc88d60ff4ec68d&ts=742&x=0"
2025-01-16 01:24:02 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	104.21.32.1	443	908	C:\Users\user\Desktop\Order Details.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 01:24:02 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-16 01:24:02 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:02 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2305431 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=okYllKn5iBczDyKuVkE9ZNuzuowNqUw6oyHh5LQWH1YMgj6hqspSyUdOU%2FXmVRgHOHbeldrDg0q7Oy%2BP58jSiQK5k1Cfts6iJJJXdnVeHhnjF8%2BMZwrNvvvG0tLXluP8Awpc31N3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902a4dbd6d661875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1481&min_rtt=1479&rtt_var=558&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1953177&cwnd=153&unsent_bytes=0&cid=7cf0f0fe4983487a&ts=158&x=0"
2025-01-16 01:24:02 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	104.21.32.1	443	908	C:\Users\user\Desktop\Order Details.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 01:24:03 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 01:24:04 UTC	861	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:04 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2305433 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Eh5I1mssm5HeN4Oq8FOwueJVFPBkin4CZMRSPzTJgHiM5kvMJPSNNeg%2BGw5BAEoqGHd123nN1xkdNPCTJP%2BhrakAS0KhLcq27DN%2BG%2FCKTWJf5MF437jkT1zAiVBFnZbV4bI%2Bw%2Fez"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902a4dc558a941a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1593&min_rtt=1591&rtt_var=602&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1809169&cwnd=242&unsent_bytes=0&cid=920aaefa024ea850&ts=158&x=0"
2025-01-16 01:24:04 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49736	104.21.32.1	443	908	C:\Users\user\Desktop\Order Details.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 01:24:05 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 01:24:05 UTC	851	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:05 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2305434 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9eDuOQbVc6rXYXwI1YqYzCh3ZF0LY21SPeR4PBYTT9LK7DYeG7waC74fBuNWemchreN7AOfbqCAfl3hFtdbsdqIebMTMqWoBFkYNkXC%2BBd50ZPFwuL97R91NPZbYti1wsErPblHw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902a4dcd2f66c327-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1465&min_rtt=1462&rtt_var=554&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1965006&cwnd=189&unsent_bytes=0&cid=841fe512b54f94c3&ts=143&x=0"
2025-01-16 01:24:05 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49738	104.21.32.1	443	908	C:\Users\user\Desktop\Order Details.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 01:24:06 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-16 01:24:06 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:06 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2305435 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CduFQEGRWbAFPDnEQNmp97si9UpxLT6rPmXpyNIAqdKwBltBa5E3gt7qIUf%2F1ec6cMPX1UMsMomWc%2BgrQApm1vTSe9H%2FZ7fm7CXTRqgy9jr7FD%2BCFgv2PlurwGraR0c5v9xATa54"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902a4dd649524344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=26234&min_rtt=1714&rtt_var=15279&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1703617&cwnd=47&unsent_bytes=0&cid=d5acf20b11b9bc60&ts=179&x=0"
2025-01-16 01:24:06 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49740	104.21.32.1	443	908	C:\Users\user\Desktop\Order Details.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 01:24:07 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-16 01:24:08 UTC	852	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:08 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2305437 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aBsXIhfAiuB0JYZIAX6hMqZAChWKRL2RIwJocAKxq8i73J9YOqfRz13xQLfaMF%2FG9yV62OpV10UcuhzJlvVl7vhG1OvGnVE21HIwEVvXym%2FtvmSiQIlU9mAK3rznF7yqZspNXmUR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902a4dde3a634344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1708&min_rtt=1687&rtt_var=648&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1730883&cwnd=47&unsent_bytes=0&cid=c311c2743693b3de&ts=143&x=0"
2025-01-16 01:24:08 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	104.21.32.1	443	908	C:\Users\user\Desktop\Order Details.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 01:24:09 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-16 01:24:09 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:09 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2305438 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XFrmxzNHEj%2BLlf5jHnTHYTljPfd%2F%2Bte1J2j2SRPdcceQGL0bnvSbTza1M%2F2ofXGIiLieQHzyQXo5jFWDzTW0JIWoLy6ol0jCslNPP7IeW8Kq0tCBFPPmdYBQunR7LFnzrOW0m%2BK7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902a4de60fcf72b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1796&min_rtt=1793&rtt_var=675&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1628555&cwnd=217&unsent_bytes=0&cid=501c5cae3f989d7d&ts=141&x=0"
2025-01-16 01:24:09 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	104.21.32.1	443	908	C:\Users\user\Desktop\Order Details.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 01:24:10 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 01:24:10 UTC	851	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:10 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2305439 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SYlPnI6v9jvh37RY6iKNMTHdpcZ16OBoplUKbox2zZRBzGSKWC5sEZJYMxRKKnW6Kd4Ofd5DsDYvFBDj6XjY2scQA7fwKRTenD4yEXiqnP1Z%2FiI0CXyPWGNopkQlU7rlMXX3BsC3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902a4dee7edb41a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1652&min_rtt=1587&rtt_var=642&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1839949&cwnd=242&unsent_bytes=0&cid=d0c51d8c22148a48&ts=136&x=0"
2025-01-16 01:24:10 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	20:23:58
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\Order Details.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Order Details.exe"
Imagebase:	0x590000
File size:	591'360 bytes
MD5 hash:	06C48EF3E45A7DAFEDBD596368918830
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.1679581061.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1678770489.0000000003986000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:23:58
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\Order Details.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Order Details.exe"
Imagebase:	0xf50000
File size:	591'360 bytes
MD5 hash:	06C48EF3E45A7DAFEDBD596368918830
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000002.4155374471.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4156338198.000000000351C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4156338198.0000000003351000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	76%
Total number of Nodes:	25
Total number of Limit Nodes:	1

Executed Functions

Function 027BAE48 Relevance: 1.9, Strings: 1, Instructions: 615
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 027BB5F8

Memory Dump Source

Source File: 00000000.00000002.1678548090.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_Order Details.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: b97f410858cea4e43f332bb78b2555bc268d7c9390ef4fcb084de19f6d50d593
Instruction ID: 27d4e4ff880fe4f214a36ad34ab820b85591d207edeb08c33239af3bdb2a998b
Opcode Fuzzy Hash: b97f410858cea4e43f332bb78b2555bc268d7c9390ef4fcb084de19f6d50d593
Instruction Fuzzy Hash: 9352E170D01228CFDB65DF65C984BEDBBB2BF89304F1081EA9509AB295DB349E85CF41

Function 027B9F3C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 027BBB49

Memory Dump Source

Source File: 00000000.00000002.1678548090.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_Order Details.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9082a8900d425961c66877e74c9abdde015d15c073b0f9cf7b65e636ecc605e6
Instruction ID: b87c0a89f6ef4b2344140cd33d286dbe82dcffd91bde970d17d8b93d79366b9d
Opcode Fuzzy Hash: 9082a8900d425961c66877e74c9abdde015d15c073b0f9cf7b65e636ecc605e6
Instruction Fuzzy Hash: 7181C174D00259DFDB21CFA9C980BEDBBF5AF09304F1490AAE908B7220DB709A85CF54

Function 027BAA20 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 027BAAF3

Memory Dump Source

Source File: 00000000.00000002.1678548090.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_Order Details.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a98daa86881a7bf780bc4034ba8c19bf4d9b71ddfabde6cecca6cbe00f96f911
Instruction ID: db6a159b6d3fcbe9c7d1ac52948bfbf04ca58013fb127bcd1cb1ef41a3a449cc
Opcode Fuzzy Hash: a98daa86881a7bf780bc4034ba8c19bf4d9b71ddfabde6cecca6cbe00f96f911
Instruction Fuzzy Hash: 574199B5D012589FCB00DFA9D984ADEFBF1BF49314F20902AE818B7210D735AA45CF68

Function 027B9F60 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 027BBE55

Memory Dump Source

Source File: 00000000.00000002.1678548090.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_Order Details.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1c8d8c844644f4f80d32d08adf5c096695ef657522fb5a4945e21848a2fa8812
Instruction ID: f1fb3fe55ac13abab187ac3fcee33cdf5dc1ac72c509ca01e1fb239c483225f4
Opcode Fuzzy Hash: 1c8d8c844644f4f80d32d08adf5c096695ef657522fb5a4945e21848a2fa8812
Instruction Fuzzy Hash: AB4176B9D04258DFCF10CFAAD984ADEFBB5BB19314F10A06AE914B7210D335A945CF64

Function 027BAB78 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 027BAC22

Memory Dump Source

Source File: 00000000.00000002.1678548090.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_Order Details.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 84eecbcd8f5150981859709db5bd8cea706f1250eae145899c35a5390aa3478e
Instruction ID: d980b85f3463e81f6f20611e889d00f019eb325069d302349183984d7d544d92
Opcode Fuzzy Hash: 84eecbcd8f5150981859709db5bd8cea706f1250eae145899c35a5390aa3478e
Instruction Fuzzy Hash: 7331A6B8D002589FCF10CFA9D980ADEFBB5BF49310F10A42AE814B7210D735A945CF68

Function 027BA8F8 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 027BA9A7

Memory Dump Source

Source File: 00000000.00000002.1678548090.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_Order Details.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4336a508bd9c56795809c6f0d7efb43b2f59621f63151864b241a97925bf9d9e
Instruction ID: 4444bd958633dc63ab21962c0011f4d1680dc3fb90c340d284888ffa10ad5c25
Opcode Fuzzy Hash: 4336a508bd9c56795809c6f0d7efb43b2f59621f63151864b241a97925bf9d9e
Instruction Fuzzy Hash: FF31ACB5D012589FCB10DFA9D984AEEFBF1BF49314F14802AE454B7250D738A989CF54

Function 027B9F48 Relevance: 1.6, APIs: 1, Instructions: 91
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64GetThreadContext.KERNEL32(?,?), ref: 027BBD42

Memory Dump Source

Source File: 00000000.00000002.1678548090.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_Order Details.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8ae4dd9672b5984c8d9e1f390264e278b54c38df037896299038269c64ab044c
Instruction ID: dd20c5a72e996b280f0178c6be3818a5e089cab105c10421cc4bb5edb0b85647
Opcode Fuzzy Hash: 8ae4dd9672b5984c8d9e1f390264e278b54c38df037896299038269c64ab044c
Instruction Fuzzy Hash: 32319AB5D012589FCB10CFAAD584ADEFBF1BF49314F24906AE818B7210D378A945CFA4

Function 027BAC98 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 027BAD16

Memory Dump Source

Source File: 00000000.00000002.1678548090.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_Order Details.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d6999d0867a846d129afe75eeabca9b80000afe906f1325e49a4006cdefd366c
Instruction ID: d31236c2b4b28246a694087b141501496c133623e848cea09ae738b4da938cd0
Opcode Fuzzy Hash: d6999d0867a846d129afe75eeabca9b80000afe906f1325e49a4006cdefd366c
Instruction Fuzzy Hash: 5D31C9B4D002189FCB10DFAAD984ADEFBB4AF49314F10842AE818B7210CB35A845CF98

Function 00CFD5E8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1677773641.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfd000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf5d2e2483d0dc1df63d932d20866f29fd4d7447e238246ef30808d4cda5061
Instruction ID: 770e45d824eb67ea0dd6655e463e1c5355ff793053797f7f0842610822b8162d
Opcode Fuzzy Hash: cdf5d2e2483d0dc1df63d932d20866f29fd4d7447e238246ef30808d4cda5061
Instruction Fuzzy Hash: BA2125B1500208DFCB45DF14D9C4B26BF66FB98314F208969FA0E8B256C336D856CAA2

Function 00CFD4FC Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1677773641.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfd000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01faffe8cbdddc2ba3541aa20aef2d44f106c677e888c06ff757c4cfa9bcd6ea
Instruction ID: 912231ae6afa7664f39f1167d8ef5ecee543e4ead7967ddd4d162548c0ddcb20
Opcode Fuzzy Hash: 01faffe8cbdddc2ba3541aa20aef2d44f106c677e888c06ff757c4cfa9bcd6ea
Instruction Fuzzy Hash: 092125B1504208DFCB45DF14D9C0B37BF66FB98318F20C569EA0A4B256C336D956DBA2

Function 00CFD5E3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1677773641.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfd000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 4c69b0fa2308c39b0f9e9fbd7f15573b73ed50f8778002633db4488138757011
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: D411D376504244CFCB16CF14D9C4B26BF72FB94314F24C5A9E90A4B256C336D95ACBA2

Function 00CFD4F7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1677773641.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfd000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 5b963895fc3705c9dba3c37afa1ad8ff1e9c4e463a020edc999ee4ae9505ef2d
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 1811E6B6504244CFCB06DF10D5C4B26BF72FB94314F24C6A9DD0A0B256C336D95ACBA2

Non-executed Functions

Function 027B3118 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1678548090.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27b0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704c4f25616f2b3cf4cefde79bb6a877eb5caa506d723a001d8b1a81db67d92a
Instruction ID: cc7acfab94b7efb6ae17a92b62dc15bfe1be97956f9a842972fbed364a84ca53
Opcode Fuzzy Hash: 704c4f25616f2b3cf4cefde79bb6a877eb5caa506d723a001d8b1a81db67d92a
Instruction Fuzzy Hash: CE11AFC6C6BEA44BE7270576C86A3C11B96CF7B188F0493D6D1B88A5E7E5C840CBC252

Analysis Process: Order Details.exePID: 908, Parent PID: 2032COMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	37.9%
Total number of Nodes:	29
Total number of Limit Nodes:	2

Executed Functions

Function 019A6730 Relevance: 5.5, Strings: 4, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 019A69F2
(o^q, xrefs: 019A6988
(o^q, xrefs: 019A697A
,bq, xrefs: 019A6A00

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: e9c2b18ce3fde3a18258a4afa7543500df6db4acbbd6193393285102a883893c
Instruction ID: 235d5a288f907ed10f17f78fbcdf23b2c5a241645c6458bbd39d8a41ca30ba36
Opcode Fuzzy Hash: e9c2b18ce3fde3a18258a4afa7543500df6db4acbbd6193393285102a883893c
Instruction Fuzzy Hash: 36028271E00205DFCB15CF6DC988AADBBBAFF88301F598469E519AB261D730DC45CB91

Function 019A9858 Relevance: 3.4, Strings: 2, Instructions: 863COMMON

Download Yara Rule

Strings

(o^q, xrefs: 019A9C78
4'^q, xrefs: 019AA273

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: 9dcc91d5d48a1c63f4699cce9ca0b3239642e79d238710e1215a72c02367bbe4
Instruction ID: 781deba95cbf1c62516c7c9d2522e5cad731e9f2657f13d5a852b241509dc52e
Opcode Fuzzy Hash: 9dcc91d5d48a1c63f4699cce9ca0b3239642e79d238710e1215a72c02367bbe4
Instruction Fuzzy Hash: F3729371A00209DFCB15CF68C984AAEBBF6FF88305F558559E9099B3A1D731EC49CB90

Function 019A6108 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

(o^q, xrefs: 019A6642
Hbq, xrefs: 019A650E

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: a7fe8403e15c443d4646ad2a71c6fc64058c3599eba30f7b6d8a6054b99c3314
Instruction ID: 13bff3c4afad3fd9ac0567a61245643f6e6dc6f4757c38e4eb9f17199857a901
Opcode Fuzzy Hash: a7fe8403e15c443d4646ad2a71c6fc64058c3599eba30f7b6d8a6054b99c3314
Instruction Fuzzy Hash: 90129D70A002199FDB15DF69C894AAEBBFAFF88300F548569E509DB391DF349C85CB90

Function 019A3573 Relevance: 2.9, Strings: 2, Instructions: 418
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 019A3596
Xbq, xrefs: 019A35AF

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: 3053691cc0ca45f8af29241cb6bb2650ad6a2cb7567a6d3e42297744d7d4f92a
Instruction ID: 9908d35ab16fddbc32480cdee27da9656987e60e92f2aa0d2394cdb38b1db399
Opcode Fuzzy Hash: 3053691cc0ca45f8af29241cb6bb2650ad6a2cb7567a6d3e42297744d7d4f92a
Instruction Fuzzy Hash: 43F16D74E01258DFCB18DFB8D8549AEBBB6BFC8700F548569E40AA7358CF359806CB81

Function 019AB328 Relevance: 2.9, Strings: 2, Instructions: 356
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 019AB747
PH^q, xrefs: 019AB758

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: cd453171e20e4bf3ced8d945789a8b5ae6395f9bd4e03836fdb068f550c8e853
Instruction ID: 328848a30dd4ea43882b8792c71365e963798f4183f33676efc1d3e057eda526
Opcode Fuzzy Hash: cd453171e20e4bf3ced8d945789a8b5ae6395f9bd4e03836fdb068f550c8e853
Instruction Fuzzy Hash: 97E10771A00218CFDB14CFA9D884A9DBBF6FF48711F558069E809AB361DB30AC85CF90

Function 019AC470 Relevance: 2.7, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 019AC6D8
PH^q, xrefs: 019AC6C7

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: f20d0368e7b85c0d95ae0bfc903955159c5063ac39839973e59d081b18b39a63
Instruction ID: 7685786a1f7a94a48bd2899a9f59976a57ea908d41c7eea85aff8974defd66eb
Opcode Fuzzy Hash: f20d0368e7b85c0d95ae0bfc903955159c5063ac39839973e59d081b18b39a63
Instruction Fuzzy Hash: 3C91D474E00208CFDB14CFA9D884A9DBBF6BF89311F54D469E809AB365DB34A945CF50

Function 019AC753 Relevance: 2.7, Strings: 2, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 019AC9B8
PH^q, xrefs: 019AC9A7

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 90428c8dd2d33598c80ea8ddea8b3d29b69343e8286ffc5cb057b41e97dd308e
Instruction ID: 8a66ac23dd53ba39a769adb52b2cc207f2cffad76541f3e4ae1c76c57e561f50
Opcode Fuzzy Hash: 90428c8dd2d33598c80ea8ddea8b3d29b69343e8286ffc5cb057b41e97dd308e
Instruction Fuzzy Hash: 9581C374E01218CFDB14CFAAD984A9DBBF2BF89310F14D069E409AB365DB349985CF51

Function 06FB8C51 Relevance: 2.7, Strings: 2, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 06FB8E9A
PH^q, xrefs: 06FB8EAB

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 94a6efe8602df158990f469eff2b504f938d1ed8679a6b537facb3cd91619e38
Instruction ID: a40f137ae04c670aeedb4ff98c739fd509f57a91e241c6af923f8a0662db6b1b
Opcode Fuzzy Hash: 94a6efe8602df158990f469eff2b504f938d1ed8679a6b537facb3cd91619e38
Instruction Fuzzy Hash: 6981AE74E01218CFDB58CFAAD994BEDBBB2BF89300F20916AD419AB354DB345985CF50

Function 019A4AD9 Relevance: 2.7, Strings: 2, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 019A4D41
PH^q, xrefs: 019A4D30

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 84326fa3fd451f77b8bef13aec95882c60119764e56bc68a5eedfe67e2c20938
Instruction ID: 1e8fad016721da17e5f93bdfef9969e93c04934b657a133e0301c59ed25b2fbb
Opcode Fuzzy Hash: 84326fa3fd451f77b8bef13aec95882c60119764e56bc68a5eedfe67e2c20938
Instruction Fuzzy Hash: F281B374E00218CFDB14CFAAD884A9DBBF2BF89301F14D069E819AB365DB749985CF50

Function 019AC190 Relevance: 2.7, Strings: 2, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 019AC3E7
PH^q, xrefs: 019AC3F8

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 8803e34ca59e64e60d498b11e5cab08baa1693c2f58473103ac41b9c32a9421f
Instruction ID: ccca0ae35d0d9fea57e07116ae64aa223c1ae58cc4cc78bec87e00813691eb25
Opcode Fuzzy Hash: 8803e34ca59e64e60d498b11e5cab08baa1693c2f58473103ac41b9c32a9421f
Instruction Fuzzy Hash: 4D81B474E01208DFDB14DFAAD884A9DBBF2BF89300F14D069E809AB365DB349945CF50

Function 019ACA33 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PH^q, xrefs: 019ACC87
PH^q, xrefs: 019ACC98

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: b298ca4e8147ddbcbd08ab44eaa0b29cb01c1affcf7507e95b30e42a61314a2f
Instruction ID: c774ce5d14c3b2e7e1aa1c3abb3f967a15a3a882f219d05d510c13617c901bb9
Opcode Fuzzy Hash: b298ca4e8147ddbcbd08ab44eaa0b29cb01c1affcf7507e95b30e42a61314a2f
Instruction Fuzzy Hash: 1181C374E01218CFDB14DFAAD884A9DBBF2BF88300F54D469E819AB365DB349985CF50

Function 019ABEB0 Relevance: 2.7, Strings: 2, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 019AC118
PH^q, xrefs: 019AC107

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: a84f7eb30d2d1e7500a185c6d4d8bcebcc3130d26156960c52557e07bb7c3849
Instruction ID: 5631d0d71739fc51a21346dcfafb58e3593ca819045e51d8b6c12788ad7a4cf4
Opcode Fuzzy Hash: a84f7eb30d2d1e7500a185c6d4d8bcebcc3130d26156960c52557e07bb7c3849
Instruction Fuzzy Hash: 2381D274E00218CFDB18DFAAD884A9DBBF2BF89300F54D069E419AB365DB309985CF50

Function 019ABBD3 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PH^q, xrefs: 019ABE27
PH^q, xrefs: 019ABE38

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 138e9f5a9ef75f0593a3367f1122cf0f1fa3ba25fd2f3346565c40dffa5d9c57
Instruction ID: 67995fe8eec898e4608955783f5eacefd2e45368b6022364b286c05b4819566c
Opcode Fuzzy Hash: 138e9f5a9ef75f0593a3367f1122cf0f1fa3ba25fd2f3346565c40dffa5d9c57
Instruction Fuzzy Hash: 0681B274E00218CFDB18CFAAD984A9DBBF2FF89301F549069E409AB365DB349985CF51

Function 019AB4F3 Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

PH^q, xrefs: 019AB747
PH^q, xrefs: 019AB758

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: ebd0eb38610ec0825f3083bd40ef5f29fcfca92bbf29d605ed7dbe3bcb0dc581
Instruction ID: fe66f1c81050059b5e84118a59694c36a90246ebba7ebdeed6998101b49ae188
Opcode Fuzzy Hash: ebd0eb38610ec0825f3083bd40ef5f29fcfca92bbf29d605ed7dbe3bcb0dc581
Instruction Fuzzy Hash: BA61C374E002089FDB18DFAAD984A9EBBF6FF88310F14D069E419AB365DB345945CF50

Function 05ED7D90 Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48160cceee803383a3770e816bd86f5507edd29f0682502f8cead49a5ff48df6
Instruction ID: 8fc005fdf370eafc5540fb9c49704a4e37927be5af22a5421b938161cb189266
Opcode Fuzzy Hash: 48160cceee803383a3770e816bd86f5507edd29f0682502f8cead49a5ff48df6
Instruction Fuzzy Hash: 97F1D274E01218CFDB14DFA9D884B9DFBB2BF88304F5491A9E848AB355DB349986CF50

Function 06FB11A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebed48c567539cd958a9c9b9adaf42a08e73a0db518f5121d385d1927bb19a91
Instruction ID: 6c1f47376055f3822b8fd38a2d2719553cafdc33817aa7f7e161b10e9e45620b
Opcode Fuzzy Hash: ebed48c567539cd958a9c9b9adaf42a08e73a0db518f5121d385d1927bb19a91
Instruction Fuzzy Hash: 80826C74E012288FDB64DF69D998BDDBBB6BF89300F1091EA940DA7264DB315E85CF40

Function 019AF007 Relevance: .7, Instructions: 718COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fec239a550c357b2eabc2c58872af7bcbce7c3b3decdd703bde817929f7f808
Instruction ID: e53ccec3639673f76fa45a5dca5a7034cdda02c7b2ce75f9787914209616daac
Opcode Fuzzy Hash: 9fec239a550c357b2eabc2c58872af7bcbce7c3b3decdd703bde817929f7f808
Instruction Fuzzy Hash: FF72CD74E012298FDB65DF29C884BEDBBB6BB89300F5491E9D40DA7251DB349E85CF80

Function 06FB8608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be1e6ff78ef496ecbeff2a52c0ba2d879279b1eaa0d5be97f0a61603ef8cd20
Instruction ID: a63884968aed36a8d39c80d32c33a17f97a7f3488c4b04fe008a7d94c1481fbf
Opcode Fuzzy Hash: 5be1e6ff78ef496ecbeff2a52c0ba2d879279b1eaa0d5be97f0a61603ef8cd20
Instruction Fuzzy Hash: F3E1CE74E00218CFEB64DFA5D984B9DBBB6BF88304F2091A9D418A7394DB359E85CF50

Function 05EDCAA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca4f049d2b26da4089bb653412f9d63615a00f9b44f3dad46743aeb355d7342a
Instruction ID: df7f5ebcc46f9f7f8e14eb93095aac0d0940e04e51be06e1923ad73790524ac8
Opcode Fuzzy Hash: ca4f049d2b26da4089bb653412f9d63615a00f9b44f3dad46743aeb355d7342a
Instruction Fuzzy Hash: EFC19D74E00218CFDB14DFA5D984BADBBB6BF88304F2091A9D809AB354DB359E85CF50

Function 06FBB6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b5f0b2c2c13504c9bf53e3e07763c4668f7562ef5c487b55b2de0d538522a8
Instruction ID: a8316c02bb7d59ac476da4072b2651a26d1b75628e31e57d5f4242452c8ec87a
Opcode Fuzzy Hash: a7b5f0b2c2c13504c9bf53e3e07763c4668f7562ef5c487b55b2de0d538522a8
Instruction Fuzzy Hash: FBA19275E012288FEB68CF6AD944BDDBBF2AF89300F14D0AAD40DA7254DB345A85CF51

Function 06FBD670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa0258910770d7738345622c8559e01ba42171f89c190f2cd8fed9b14904439
Instruction ID: b405ab17a98f3086c67caa8b136fe1fa67fed3923a45f669db934d7192b1ad66
Opcode Fuzzy Hash: 2fa0258910770d7738345622c8559e01ba42171f89c190f2cd8fed9b14904439
Instruction Fuzzy Hash: 73A1A375E012188FEB68CF6AD944BDDBBF2AF89300F14D0AAD40DA7254DB349A85CF51

Function 06FBC388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d699408006f442d73d2aea0676a7adbb72d090171c1b166558867daf6b971348
Instruction ID: 3f8771e87ff16a732c2e32b0d1f6ea31b92748aacd01f6c90e38b628561f5990
Opcode Fuzzy Hash: d699408006f442d73d2aea0676a7adbb72d090171c1b166558867daf6b971348
Instruction Fuzzy Hash: 3EA1A375E012288FEB64CF6AD944BDEBBF2AF89300F14D0AAD40DA7254DB345A85CF50

Function 06FBA408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6af300fca56bba69fb24add876b3bf581565abc920c2d63416c7edaf9a4cbfa
Instruction ID: 20693b5664da628d93be36d0973a79346cc6562c244d841c2ed4a48f7cf2fdc9
Opcode Fuzzy Hash: f6af300fca56bba69fb24add876b3bf581565abc920c2d63416c7edaf9a4cbfa
Instruction Fuzzy Hash: FFA1A2B5E016188FEB68CF6AC944BDDBBF2AF89300F14D0AAD40DA7254DB345A85CF51

Function 06FBC9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27f49691507303fe52d546095f82f476e2e09a5fbf8afecdfe703295e221839
Instruction ID: dc7329ed6a2f3d2f0def61f4fa9eead7b283b0e919a21acdc13f7e1e97a414a1
Opcode Fuzzy Hash: c27f49691507303fe52d546095f82f476e2e09a5fbf8afecdfe703295e221839
Instruction Fuzzy Hash: 1DA1A4B5E012188FEB64CF6AD944BDEBBF2AF89300F14D0AAD40DA7254DB345A85CF51

Function 06FBBD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf1a9f0ab3e5d11896c50f296899e677a218a6beb07501ed61da7f006a53458
Instruction ID: 1025931e1f2841877fcc9982121b8ada068fc4f5853388ace6adce560688545a
Opcode Fuzzy Hash: 3bf1a9f0ab3e5d11896c50f296899e677a218a6beb07501ed61da7f006a53458
Instruction Fuzzy Hash: 35A1B275E012188FEB64CF6AC944BDDBBF2AF89300F14D0AAD509A7254DB305A85CF50

Function 06FBAA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d9a518643f61ae903a5d2a178db317c98e2b53d9ef73a533b0db85605da228
Instruction ID: 4b55222a46d1ba8e431141ea52e0ef26223f697f101d02228458e6030b2978c5
Opcode Fuzzy Hash: 83d9a518643f61ae903a5d2a178db317c98e2b53d9ef73a533b0db85605da228
Instruction Fuzzy Hash: 3CA19475E012188FEB64CF6AD944BDDBBF2AF89300F14D0AAD409A7254DB345A85CF51

Function 06FBB0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0d18b8d3de8cc9b17f6e687699414fd2a9e3db675f7f6eb6da7e092223857e
Instruction ID: 0b8e91c76478c553e7ebf7a68515f2b82f96538e6776b95d360129e9b5091173
Opcode Fuzzy Hash: 1d0d18b8d3de8cc9b17f6e687699414fd2a9e3db675f7f6eb6da7e092223857e
Instruction Fuzzy Hash: AAA19F75E016288FEB68CF6AC944BDDBBF2BF89300F14D0AAD409A7254DB345A85CF51

Function 06FBD028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b0bba4b3acf909f3561d63b9fa76af6105988ffce9da413fce960ed45f3fa6
Instruction ID: 58b6ebe314c43f3f60733b5506c876fe099c001593c0400a585b5eaa7708a44f
Opcode Fuzzy Hash: e4b0bba4b3acf909f3561d63b9fa76af6105988ffce9da413fce960ed45f3fa6
Instruction Fuzzy Hash: 93A19275E012188FEB68CF6AD944BDDBBF2AF89300F14D0AAD40CA7255DB349A85CF51

Function 06FB1191 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49458fe6fa66c367c763c2766cfcb52d06b491f144f5bc0d989545fec2ce6c8f
Instruction ID: fe578c3b5411eb552595e238e8c699bb3add023ed1511a3c6138a18f33957fcf
Opcode Fuzzy Hash: 49458fe6fa66c367c763c2766cfcb52d06b491f144f5bc0d989545fec2ce6c8f
Instruction Fuzzy Hash: 9181A274E412289FDB65DF25D894BEDBBB6BF89300F1091EAD909A7254DB306E81CF40

Function 06FBB08F Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13952134d1e0544950c71c80d93da19de1f42bc7a409bd2dc1e5d9b1e8437018
Instruction ID: 86b62272f0fc05f1a7cf678d6b73e19deaadd7c333402706a6d7277c7bac84b9
Opcode Fuzzy Hash: 13952134d1e0544950c71c80d93da19de1f42bc7a409bd2dc1e5d9b1e8437018
Instruction Fuzzy Hash: B3819671E016188FEB68CF6AC944BDDBBF2AF89300F14D1AAD40DA7254DB345A85CF51

Function 06FBD018 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138cd43dad0e6a9b9827b93ba297d5764f3f885c8fa7fc54d99f95c634d4a0fc
Instruction ID: a73cb4d5d097d1fa1d30e510297abca1e23ade9b3b9b8f375e15b390890b3b8a
Opcode Fuzzy Hash: 138cd43dad0e6a9b9827b93ba297d5764f3f885c8fa7fc54d99f95c634d4a0fc
Instruction Fuzzy Hash: 22718671E016188FEB68CF6AC944BDDBBF2AF89300F14D0AAD40DA7254DB345A85CF51

Function 06FBAA52 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998daad414bf90815e1dab69bd3dd403d89f47e9d5a9199b74bc80e34337ced2
Instruction ID: f6c16d2172c8453e4a3951fa4648d41a9fe164413f86df4ace229151769be296
Opcode Fuzzy Hash: 998daad414bf90815e1dab69bd3dd403d89f47e9d5a9199b74bc80e34337ced2
Instruction Fuzzy Hash: F5717371E016288FEB68CF6AC944B9DFBF2AF89300F14D0AAD50DA7254DB345A85CF51

Function 06FBC378 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8aee3aa5ef0e79e838fa16d25ceb4eba7feec484af4e8198d429c2864d5d0b
Instruction ID: 8661589bdc27b3251932a027ff4b581ed1fa60a4a5437109cc8beb02f1bc2026
Opcode Fuzzy Hash: ea8aee3aa5ef0e79e838fa16d25ceb4eba7feec484af4e8198d429c2864d5d0b
Instruction Fuzzy Hash: BC5198B1E016189BEB58CF6BCD557CAFAF3AFC9304F04C0AAD50CA6255DB740A868F51

Function 06FBC9C8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af471bdf395a6073fd31645976c350c6b5e7d997fe761b3748ada4daba247919
Instruction ID: 255bceed20885873010e004f9bdf424ef8776713ee6df3b3862d1dee47888cc0
Opcode Fuzzy Hash: af471bdf395a6073fd31645976c350c6b5e7d997fe761b3748ada4daba247919
Instruction Fuzzy Hash: 1351A8B1E016189BEB58CF6BDD447DAFAF7AFC8310F04D0AAC50CA6264DB740A858F51

Function 06FB8602 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08f5a1a647b8d9df7d91e143b521537d3e7943e01e4e22ef7d9eb176119798f
Instruction ID: 92c4d50394887dfcb4f3c78bfee1446cbe373ee72182a694fb7bf229dc1d0c94
Opcode Fuzzy Hash: c08f5a1a647b8d9df7d91e143b521537d3e7943e01e4e22ef7d9eb176119798f
Instruction Fuzzy Hash: C441D2B0E002088BEB58DFAAD9447DEFBF6AF88304F14D169C418BB250DB755946CF64

Function 06FBBD28 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9907567e2a9776b1ac827d3db1ea153d8d5bd38424be6038dfb45b90b192c8e8
Instruction ID: 1e1128b91c3888a733c950e063991807d9cf8b4a501801d1ad24c316a1b12d8c
Opcode Fuzzy Hash: 9907567e2a9776b1ac827d3db1ea153d8d5bd38424be6038dfb45b90b192c8e8
Instruction Fuzzy Hash: 35417AB1D016189BEB58CF6BCD457DAFAF7AFC8310F04C1AAD50CA6264DB740A868F51

Function 06FBA3F8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 006fe4671011210abfe2ef71095a6eaa5030ca4a6dd857247b11f4df0239917d
Instruction ID: 8f3ee41e879fe385aa3511c3e70247f06a19b3628d064311d32b6b74eb9290f5
Opcode Fuzzy Hash: 006fe4671011210abfe2ef71095a6eaa5030ca4a6dd857247b11f4df0239917d
Instruction Fuzzy Hash: 68418AB1E016188BEB58CF6BCD457CAFAF7AFC8310F14C1AAD50CA6254DB340A858F51

Function 06FBD661 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b051f553fbc41cc8b08abe7793d0dbf157d0858ea8df7ae5a097cc320cf455
Instruction ID: dbfc50c39415a28551fde67b62ba33c2072df536741b2dce4397eea91eec8bb8
Opcode Fuzzy Hash: 40b051f553fbc41cc8b08abe7793d0dbf157d0858ea8df7ae5a097cc320cf455
Instruction Fuzzy Hash: A04169B1E016189BEB58CF6BDD457CAFAF3AFC8304F04D1AAD50CA6264DB740A858F51

Function 06FBB6D9 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcfb80a2b9ce5d006b590dc78daf8219f5f138d3aa8006d24ffd194dc62f0502
Instruction ID: bbc1ec08a5116c0870bc1dc0f16fb1a78cb9d35234f9200d7bf5d3d4620d75d6
Opcode Fuzzy Hash: dcfb80a2b9ce5d006b590dc78daf8219f5f138d3aa8006d24ffd194dc62f0502
Instruction Fuzzy Hash: E94177B1E016188BEB58CF6BCD457CAFAF3AFC8300F04C1AAC50CA6264DB740A858F51

Function 019A6E58 Relevance: 10.5, Strings: 8, Instructions: 498
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 019A6F7D
(o^q, xrefs: 019A701A
(o^q, xrefs: 019A6E96
(o^q, xrefs: 019A6F51
(o^q, xrefs: 019A7377
(o^q, xrefs: 019A7367
,bq, xrefs: 019A72F8
,bq, xrefs: 019A7308

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 4eee26ba2fb1e26611013d1cfc7498e2893e52e24918963b0db0ba9d22aa780f
Instruction ID: e1c5c948b791051b1ed6abe4e7438e29d23ec8c0bb78886d523b9afdabb02439
Opcode Fuzzy Hash: 4eee26ba2fb1e26611013d1cfc7498e2893e52e24918963b0db0ba9d22aa780f
Instruction Fuzzy Hash: 3A228F30A002058FCB19CFA8D985A9DBBF6FF88315F558569E909DB361DB31EC49CB90

Function 019A77F0 Relevance: 3.2, Strings: 2, Instructions: 699
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 019A8314
$^q, xrefs: 019A8337

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 0c4c220076f37bca5728452d155e6171ab062b270f5812eedfcda9379800efb9
Instruction ID: bb7110435408badd15fbe6620833e66b6c8d9dd02f5b1af12fe24a200540747d
Opcode Fuzzy Hash: 0c4c220076f37bca5728452d155e6171ab062b270f5812eedfcda9379800efb9
Instruction Fuzzy Hash: 30520E74A00219CFEB14DBA4C8A4BAEBB77FB54301F1081A9C10A6B365DF359E89DF51

Function 019A87E9 Relevance: 2.8, Strings: 2, Instructions: 335COMMON

Download Yara Rule

Strings

4'^q, xrefs: 019A8837
4'^q, xrefs: 019A8811

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 3f207b6e8c970c38e677b16d3393ababd61d2ed21ca9c8bc788653ae7126b752
Instruction ID: 88c1e5d0084d7cf0beb1e8b0beeb090915ea7e07099f6f2ef0c28d98b28b5240
Opcode Fuzzy Hash: 3f207b6e8c970c38e677b16d3393ababd61d2ed21ca9c8bc788653ae7126b752
Instruction Fuzzy Hash: 32B185707145018FE7159B2CC968B397A9AEFC5603F984466E10ACF3B1EE25CC4AC7C2

Function 019A56A8 Relevance: 2.8, Strings: 2, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 019A57C6
Hbq, xrefs: 019A5793

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: b355505efc0460774f1d410230b9aa0ea00096d8e69e6e9d24cd58cf25e01d7d
Instruction ID: d28b71dd21fddd1cc7512a3ecd1728d94ae47dab073111c3f95db097aa43b992
Opcode Fuzzy Hash: b355505efc0460774f1d410230b9aa0ea00096d8e69e6e9d24cd58cf25e01d7d
Instruction Fuzzy Hash: 3491C1307042049FEB15AF2CD898B2E7BEAFF88301F558869E94A8B395DF34D845C791

Function 06FB23E0 Relevance: 2.7, Strings: 2, Instructions: 239
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 06FB23FC
LR^q, xrefs: 06FB2529

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID: LR^q$LR^q
API String ID: 0-4089051495
Opcode ID: 7a5a38e45bf7af5ba7b3deda6dfb9d619eadb2781489d934284b4edfd0b225f2
Instruction ID: 1348816543eb2e08ef76cc7a9179c518701e12df37b5f30f1a8f08f62c2a0ed0
Opcode Fuzzy Hash: 7a5a38e45bf7af5ba7b3deda6dfb9d619eadb2781489d934284b4edfd0b225f2
Instruction Fuzzy Hash: 6381C031B101068FCB48DF7ED854AAE77B6FF88604B1581A9E505DB3A5DB30ED02CB95

Function 019A5C08 Relevance: 2.7, Strings: 2, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 019A5CDE
,bq, xrefs: 019A5CE8

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: cc910f9efc855c634a8037d8fcb3a5ddf6d5b9d3eb78f8b70c84c067d133e7de
Instruction ID: 339e42777d59f4cad5757b62e1fceffe55b344215e0131b4548fa636462b8628
Opcode Fuzzy Hash: cc910f9efc855c634a8037d8fcb3a5ddf6d5b9d3eb78f8b70c84c067d133e7de
Instruction Fuzzy Hash: 6F81F434B00105DFEB14CF6CC88896ABBBAFF88211BA68569D609DB365D731EC45CBD0

Function 06FB9510 Relevance: 2.7, Strings: 2, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&^q, xrefs: 06FB962B
(bq, xrefs: 06FB96EA

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID: (&^q$(bq
API String ID: 0-1294341849
Opcode ID: be8a374c7e99dbc55b745f65dc17c8d180d69aace4c279c5778912ed3e0f49e7
Instruction ID: 6a48acf54dfb9efc91205d71c4edef1aed8cd98702d2377ac3a47d29b9cd4842
Opcode Fuzzy Hash: be8a374c7e99dbc55b745f65dc17c8d180d69aace4c279c5778912ed3e0f49e7
Instruction Fuzzy Hash: 4F719F31F002199BDB55DFB9C850AEEBBB2AFC9700F148529E505AB380DF70AD46CB95

Function 019A3428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xbq, xrefs: 019A345E
Xbq, xrefs: 019A3435

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: ad0e77eb11e9d14c65574702b0706a273f8c499b4b22813689658e68a732e9a6
Instruction ID: 07412492bcd7e34467e3c08f455b72f5836a347657248e699081edf965487ea6
Opcode Fuzzy Hash: ad0e77eb11e9d14c65574702b0706a273f8c499b4b22813689658e68a732e9a6
Instruction Fuzzy Hash: C2313735B043258BEF198A7E999427EA9DEBBC4612F444439E90EC3384DF74CE4887D1

Function 019A0C8F Relevance: 1.7, Strings: 1, Instructions: 407COMMON

Download Yara Rule

Strings

LR^q, xrefs: 019A0E5E

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: cda87377f2e3ef0ac27a8d738eb11d8f6ce927c903575d9efcb9bf27969114b1
Instruction ID: e1689994ed050aa75fb703b003358783cfa035203433515732505a87e14111a6
Opcode Fuzzy Hash: cda87377f2e3ef0ac27a8d738eb11d8f6ce927c903575d9efcb9bf27969114b1
Instruction Fuzzy Hash: 4022B974A00219CFCB54DF64ED94AADBBBAFF48301F1095A9E809A7358DB346D89CF41

Function 019A0CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR^q, xrefs: 019A0E5E

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: b46c087d044230aeeba4525563d4bf0533f995c60e09a8681d69d8f343c4ce2f
Instruction ID: d6fd9cab018f4407dcabf68726217448494e35b5ff59d082b0df61f0caefb25f
Opcode Fuzzy Hash: b46c087d044230aeeba4525563d4bf0533f995c60e09a8681d69d8f343c4ce2f
Instruction Fuzzy Hash: 4322BA74A00219CFCB54DF64ED94AADBBB9FF48301F1095A9E809A7358DB346D89CF41

Function 05ED8174 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 05ED82B6

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 15d689d6efd82bb4e66ec65a9903bcbc6b049ac9fcd68037ce92e1c512fdf2cf
Instruction ID: cb3581ea35c4c66ad749b7518688ce6d47c3b9ff433f1a7a37db11950e7702a3
Opcode Fuzzy Hash: 15d689d6efd82bb4e66ec65a9903bcbc6b049ac9fcd68037ce92e1c512fdf2cf
Instruction Fuzzy Hash: 8C116A74E091099FDB04DFA8E884EFDFBB5FB88304F54A164E944E7245EB31A942CB60

Function 019AA650 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

(o^q, xrefs: 019AA7D9

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 1970951268e3e6ed5ff25232b944b173b0077732ae220ef44d472c65f0a0b61f
Instruction ID: e11a7dbf069026434b93d90f7474d848867536bf614e39ca3281ec3bf5fd060b
Opcode Fuzzy Hash: 1970951268e3e6ed5ff25232b944b173b0077732ae220ef44d472c65f0a0b61f
Instruction Fuzzy Hash: 564101327006049FCB04AB68E858AAE7BFAFFC9611F548469D50ADB391CE309C05CBE0

Function 019AA818 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a56de18fc92bd64105b89a537bf6e58c656d9571763e2448c82e82ebbb21620
Instruction ID: aefab86bcc27e1510fbf0c15ef30ab9e90e4c72d5d56805af8984c79ec43bcf1
Opcode Fuzzy Hash: 3a56de18fc92bd64105b89a537bf6e58c656d9571763e2448c82e82ebbb21620
Instruction Fuzzy Hash: 6DF14C75E002158FCB05CF6CD8889ADBBF6FF88311B5A8469E519AB361CB35EC45CB90

Function 019A7438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc65fa8c7f95ff33565c7a8f17b56d021b6a284e3ac85b1c8600a3cde357ac1
Instruction ID: dd58aa181a936749e9b477684ba4c70b00ee51e47eb0dc15e2f7d10285e310e8
Opcode Fuzzy Hash: 6cc65fa8c7f95ff33565c7a8f17b56d021b6a284e3ac85b1c8600a3cde357ac1
Instruction Fuzzy Hash: E7719D343002058FDB19DF6CC499AAD7BEAAF89601F5540A5E90ACB3B1DB31DC45CBE1

Function 019ACEC7 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4af1cfa438e74ae74b4b711acb5fd51272e00b417a86bc78424549f13c14dd
Instruction ID: dda74665c7f7a0fb3f8a49da4892d2931f8b7c4e3d1e40aceb810bfe110082c6
Opcode Fuzzy Hash: ce4af1cfa438e74ae74b4b711acb5fd51272e00b417a86bc78424549f13c14dd
Instruction Fuzzy Hash: 5851BC342663528FD3103B34B9AC17ABBA5FB4F323745BD41B11F86019CB7068698F62

Function 019ACED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169bfca14f878f1479d17f1737deea5322cad19ffb61b949f95faaf6801f9014
Instruction ID: 95f41827f105082770ee12a16f1dbec18621588c74b05d4502e1467c6e815046
Opcode Fuzzy Hash: 169bfca14f878f1479d17f1737deea5322cad19ffb61b949f95faaf6801f9014
Instruction Fuzzy Hash: B05198342663568FD3103B34BAAC17ABAA5FB5F727741BD01B11F81019CB7068A98F62

Function 019AE2D9 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d19c47edcb2d3fc2a862af966adad54242375e5f6901565506134cbcdcf3e0
Instruction ID: 1b7e635309c2be5a3e06becc3e488641e97f9a2709694b23379df84ff106455d
Opcode Fuzzy Hash: d6d19c47edcb2d3fc2a862af966adad54242375e5f6901565506134cbcdcf3e0
Instruction Fuzzy Hash: 0C611474E01218DFDB14DFA4D894AADBBB6FF88304F608529E809AB354DB359989CF40

Function 019ACD10 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0421b8bf20c8576b8d8b2d6b26f7b36d6dbc27c26850e22c2b4100282c882a4b
Instruction ID: 3c750be203cb5ea4a861bb359250697c0ed1f95bcb7ca15cb3afedda936abb5a
Opcode Fuzzy Hash: 0421b8bf20c8576b8d8b2d6b26f7b36d6dbc27c26850e22c2b4100282c882a4b
Instruction Fuzzy Hash: 8E518274E012189FDB58DFA9D9849DDBBF2FF89300F249169E819AB364DB30A905CF50

Function 06FBDCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9180819c501777efa2d2201192db0150e8167fcc1f50f5f837c1f9970662b260
Instruction ID: 26c896a8af0618b69e5c2a7a71452b1777ae8383cdb8c3b67ccac0da057b7ea5
Opcode Fuzzy Hash: 9180819c501777efa2d2201192db0150e8167fcc1f50f5f837c1f9970662b260
Instruction Fuzzy Hash: 2C414F31A01319CFDB04AFA1D89C7FE7BB9EF8A316F406859D10667294CB781A44CF95

Function 019A3908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec09963093d465de2b32290f524581e0e1d56253db75dd13a02dca159de2a16
Instruction ID: 94b91096a575d71237b436b347cd266f38ff34f48ef85ef5115fa1be2162a425
Opcode Fuzzy Hash: cec09963093d465de2b32290f524581e0e1d56253db75dd13a02dca159de2a16
Instruction Fuzzy Hash: E1519175E01208CFCB48DFA9D99489DBBB6FF89300B609069E809AB324DB35AD45CF41

Function 06FB9A49 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85eb7427ca713cd8b0f3a46df88d748b65b599abe83b01e95e3da78c6565c04
Instruction ID: 47b67d00e9788a02c02e84d92e96b54a2381d2f3c507bd227e8f3a1d96006686
Opcode Fuzzy Hash: c85eb7427ca713cd8b0f3a46df88d748b65b599abe83b01e95e3da78c6565c04
Instruction Fuzzy Hash: 7651F275E002089FDB04DFA5D488BEDBBF6EF89310F10902AD519A7394D7785A46CF90

Function 019AF0E9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac4b3db26e1a4b7f5c3d3cbdea2a942c8fad104e85e545cf1cbb526356b53905
Instruction ID: 69bd72f2e9c97c53b88c637a39bac8007a8ff9d9c09abea6f67cb101d26beea2
Opcode Fuzzy Hash: ac4b3db26e1a4b7f5c3d3cbdea2a942c8fad104e85e545cf1cbb526356b53905
Instruction Fuzzy Hash: C1519B74E01228CFCB64DF68D984BEDBBB6BB89305F5054EAD409A7250D735AE85CF80

Function 019A9A63 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e25432e96d4659dd32f0b128eb28f4791c93c9cb35ee58f1261384cf6d3518
Instruction ID: e36c50ca155c4688db99e7f97544c302de6e96f73c585fec7b832bb0479a0f80
Opcode Fuzzy Hash: 79e25432e96d4659dd32f0b128eb28f4791c93c9cb35ee58f1261384cf6d3518
Instruction Fuzzy Hash: C441C231A04249DFCF12CFA8C844A9DBFB6FF49319F448556E9199B2A2D335D918CBA0

Function 019AE1F8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa44bc3d61253c4b2e7680f04680b8f711e8eac26cbb0f437fe967e17ffd8707
Instruction ID: ac15e375b23e1614357604a6bf71d6d1c8ad59198c54493607a3d1e2599a2df6
Opcode Fuzzy Hash: fa44bc3d61253c4b2e7680f04680b8f711e8eac26cbb0f437fe967e17ffd8707
Instruction Fuzzy Hash: 9C410D71D042198FDB12DBACDC806ADBFB9FB55300F8485AAD418DB256EB346909CBD1

Function 06FB9500 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159f1b7113a08c693f8d98025780f6b354d6c7a51c5bd79866869841afdbdd2e
Instruction ID: 7c2721582b4b94a4e8c691bd40ed6a3ba40ed6b3fb68984ffee32b3420ca8d26
Opcode Fuzzy Hash: 159f1b7113a08c693f8d98025780f6b354d6c7a51c5bd79866869841afdbdd2e
Instruction Fuzzy Hash: C7418231E002099BDF54DFA6C880ADEBBF6AF89700F149129E515B7380EB70AD46CBD1

Function 019AD7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb2953d2572ef0296c46a8d5268709bd26aa273974e6bce4a31e7926514bc37
Instruction ID: 48a4df4747d6d0f3afcf74d34d8c7e071069832c39438fc7e48246fd192e41cb
Opcode Fuzzy Hash: 5bb2953d2572ef0296c46a8d5268709bd26aa273974e6bce4a31e7926514bc37
Instruction Fuzzy Hash: 0E4125B4D04208CBCB14DFE8E484AADBBF5FB49301FA0A519E41EA7645D7749889CF94

Function 019AD7EB Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68b173ab035bc865af24ea91bf1c8c0bbaee4124e84078cf9308047e97e29fea
Instruction ID: 653b7c7833f796798304949e0c012fcff393f11c3877b4d45a1a2927feae4298
Opcode Fuzzy Hash: 68b173ab035bc865af24ea91bf1c8c0bbaee4124e84078cf9308047e97e29fea
Instruction Fuzzy Hash: 0A4143B0D04208CFCB05DFA8E484AEDBBF5FF4A301FA1A519E409A7655D7349889CFA0

Function 06FB9A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab69cca075b1c1acce1ef993dae50cef350c9219a29193ed2fd6e24f0a6a40f
Instruction ID: f7b354a890f2407f52b6cc9a0e22ca8520d00123b7d48e2a4a5eed7fccadfea8
Opcode Fuzzy Hash: fab69cca075b1c1acce1ef993dae50cef350c9219a29193ed2fd6e24f0a6a40f
Instruction Fuzzy Hash: 7C41C074E002088FDB44DFA5D5887EDBBF6EF89304F10A02AD919A7394DB785A46CF50

Function 019AD76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e854bacf1f25587ec5ddfe997397e70b744943c9e51d3fffb6fc3fda2a3a14f6
Instruction ID: fd26c53f7179478a181db86d805c265aedbda1cb26e8e5341e81fca946648df5
Opcode Fuzzy Hash: e854bacf1f25587ec5ddfe997397e70b744943c9e51d3fffb6fc3fda2a3a14f6
Instruction Fuzzy Hash: E14102B0D01209CFCB04DFE8E488AEDBBF6FB49311FA0A519E409A7655D7349989CF94

Function 019AD620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09cb23fa0fe6e2c766df3174e5e888a62751057cf66727c026d9166212d1ecb
Instruction ID: 9860d95945c1c686b07796c15d37649bd025100fbe5aac2b61776de9e0593266
Opcode Fuzzy Hash: f09cb23fa0fe6e2c766df3174e5e888a62751057cf66727c026d9166212d1ecb
Instruction Fuzzy Hash: FD4138B0D01208CBDB08DFA9D444AEEFBF6FB89301F54E529E808A7654DB749945CF94

Function 019A4DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0b32e554bae35385f92bf7ba470986e21c440d7c428cb9d701a052dbf24cfe
Instruction ID: bbad89b4b5c5c16e486a12defb8805b6335b7a1458796ff5c4b3e040eea6ba2a
Opcode Fuzzy Hash: 3e0b32e554bae35385f92bf7ba470986e21c440d7c428cb9d701a052dbf24cfe
Instruction Fuzzy Hash: A531827130410A9FCF059F68E854AAE3BABFB48301F548428FA5987351CB79DCA5CBE0

Function 06FBDCB1 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb2bbb884ce725f3672a0ec25436aecf758761f26bcf47344053b1ab80de5f7b
Instruction ID: 56a57620a1290d67441b0d05ea18c6cc688b70788f4287c7ebcc15527a7f006c
Opcode Fuzzy Hash: fb2bbb884ce725f3672a0ec25436aecf758761f26bcf47344053b1ab80de5f7b
Instruction Fuzzy Hash: C6319C31E01309DFDB009FA1D85C7FEBBB9EF8A315F00A869D10266290CB781A48CF91

Function 019A76D0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e0a53c7c9a9e61fd02eea22e39c0bf4ad54d6045c12c92220c8864c5a912be
Instruction ID: a237eded90bf3329bfd0139d3f8fa2834cab300d13dbf72cb14f3f8ca4de7ea8
Opcode Fuzzy Hash: 51e0a53c7c9a9e61fd02eea22e39c0bf4ad54d6045c12c92220c8864c5a912be
Instruction Fuzzy Hash: A62135353042004BEB2A17BDCC89A393F9BEFC5606B584079C50ACB756EE26CC4AD7C1

Function 019ADF79 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f488a806848c813444eae33703b4bbb692da6ea07533dd0013f45fa3e71fc1d
Instruction ID: 3f83a7525beece90234b1d6b53baee58abc645820fdca58e894006081a83d4a1
Opcode Fuzzy Hash: 5f488a806848c813444eae33703b4bbb692da6ea07533dd0013f45fa3e71fc1d
Instruction Fuzzy Hash: 2C21C371D041098FDB04CFEE98045EEBBFAAFD9300F44E425D508B32A5DB7495098AD1

Function 019AA809 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c924175b3b3e49eb67994ff6c101cd8fceb5c49cefa914478f89d1d1b4d3916
Instruction ID: 2ac1c9482ba2372879b081d651c0a59d837fb0a4ad39354a62bbdf8c467eac9f
Opcode Fuzzy Hash: 7c924175b3b3e49eb67994ff6c101cd8fceb5c49cefa914478f89d1d1b4d3916
Instruction Fuzzy Hash: 7B31C171A005098FCB04CF6DC8889AEBBBAFF84710B158559E5599B3A5CB30DC46CBD0

Function 019A76E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34bd53c863b98ee205fc0887f3815afbfc542f06f5fe375aeae7b8530129887e
Instruction ID: 0b00c2e7b0fc49dcf8b839b4e472c59af3cd6842fb7a20ddb5235f4bbbe7eb2b
Opcode Fuzzy Hash: 34bd53c863b98ee205fc0887f3815afbfc542f06f5fe375aeae7b8530129887e
Instruction Fuzzy Hash: 0D21F5353002044BEB191679C899A7E3A9BDFC4B1AF548478D50ACB799EE26CC86D7C1

Function 019A4DBB Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd7fdf7a1606e72e26bd2fdec4bc4e7cb9bbc12b5c896e41be250f7c3e7093b
Instruction ID: dd8cfe74685bb72fac1ff0b5d3a310c94cc2c9a4802f9add7c3c114b3aa6848d
Opcode Fuzzy Hash: bdd7fdf7a1606e72e26bd2fdec4bc4e7cb9bbc12b5c896e41be250f7c3e7093b
Instruction Fuzzy Hash: 8831C37170410DCFDB15EF68E848BAE7BAAFB88311F144468E9098B244CB78EC95CBD0

Function 019AD11F Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934c4bc37b3155ad157f7f9637fa3778e1a021fade80f7aa407b85891b50bcad
Instruction ID: 51490c3a44a0c467810810831d9ca31ade7918ad2bbc4430d395b7210658b86a
Opcode Fuzzy Hash: 934c4bc37b3155ad157f7f9637fa3778e1a021fade80f7aa407b85891b50bcad
Instruction Fuzzy Hash: 80214B31D102099EDF14EFE8E8056EDFBB8FF5A305F40A525E50877214EB30AA5ACB80

Function 019A2060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09b56adbe390a7ff40af981247ba63022348f55fe40fc1dc3d69b6990c0ef81
Instruction ID: d448816c09da734e8297f0d9d472b5b92c6e11d60302bd1d969f0ded23f93780
Opcode Fuzzy Hash: a09b56adbe390a7ff40af981247ba63022348f55fe40fc1dc3d69b6990c0ef81
Instruction Fuzzy Hash: 7921AE75A002159FCB14DF28C4409AE37AAEB99664F51C059D84E8B240DA39EE46CBD2

Function 016BD4F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155726907.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16bd000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce1544d6955a00789108ecda5ce695d6588f2c03d557b8587db384b214c4f862
Instruction ID: 57b54f521a49848b9163f3e9352dea741746469002da5d4a3efde1477c64860f
Opcode Fuzzy Hash: ce1544d6955a00789108ecda5ce695d6588f2c03d557b8587db384b214c4f862
Instruction Fuzzy Hash: C02100B2504204DFDB05DF58D9C0B66BFA5FB8831CF24C569E90A4E25AC336D496CBA2

Function 019A5A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df593afcd4ef0f870c84cf9d348090758edec82559646a8677bd3784c6b1c10f
Instruction ID: 51fbe90187e7a98a5f05a86166223df2d563b618db6c5e24ba6320ebcbeec57e
Opcode Fuzzy Hash: df593afcd4ef0f870c84cf9d348090758edec82559646a8677bd3784c6b1c10f
Instruction Fuzzy Hash: 4E21F3313016118FE715AA29D8A892EB79AFBC9712B468579E90ACB344CF34DC06CBC0

Function 016CD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155780030.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16cd000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ddd419b8e466e87c4732fb3addab6cee0a4bd6ac887f7a21a6961ee0b8b3519
Instruction ID: f945f282179693f817a355299977167a17a35e0c3e9a5df9840619f7297f4e2b
Opcode Fuzzy Hash: 8ddd419b8e466e87c4732fb3addab6cee0a4bd6ac887f7a21a6961ee0b8b3519
Instruction Fuzzy Hash: E121D071604204EFDB15DF68C984B26BBA5EB84B14F20C57DE9494B352C73AD447CAA2

Function 019A215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4577b127fa5feff93a7ab06c715cc99b3b0460001f3a4aac528df8a7868d0a
Instruction ID: 287c8eeaa20d076cd94023f9254e18152e4b0396b97e88ab3cf95c215b420c4a
Opcode Fuzzy Hash: 3b4577b127fa5feff93a7ab06c715cc99b3b0460001f3a4aac528df8a7868d0a
Instruction Fuzzy Hash: C7117F35E083899FCB029BB89C108DEBF35FF8A2107158796D627B7191E935280AC392

Function 06FB96F0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daea554e324c4e1c643eca7182091bb94680718ff07953cd9e87d12ea83cecd6
Instruction ID: 9255f8ec7c34b79103b7ed68f1e79cdf08391ed7e5c5ae4a5adc3c61c47405ac
Opcode Fuzzy Hash: daea554e324c4e1c643eca7182091bb94680718ff07953cd9e87d12ea83cecd6
Instruction Fuzzy Hash: 67112B363082A45FCB466FB858251AE3FA7EFC9250754446DE549DB381DE34CE0283A6

Function 019A39ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2498b8897add1736d2d599ddaf3fe9235f8f87c73463712a30b1cf7380a15c89
Instruction ID: 9709740dc73dae5bbbc32ff320f4b6f70ade3227f8683178de99daa522537dc6
Opcode Fuzzy Hash: 2498b8897add1736d2d599ddaf3fe9235f8f87c73463712a30b1cf7380a15c89
Instruction Fuzzy Hash: 0531C478E11309CFCB04DFA8E5948ADBBB6FF49305B2094A9E819AB324D735AD45CF41

Function 019AD60F Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5455a013b4b9c2509896fe8dcbf3151f6741d86bbd9127ebff528cd7cb5d49e2
Instruction ID: dce2b2b0491d5a8dfb6b7b9ba9d048c6b2dd240d8bff0d025749b22ebd6c4e22
Opcode Fuzzy Hash: 5455a013b4b9c2509896fe8dcbf3151f6741d86bbd9127ebff528cd7cb5d49e2
Instruction Fuzzy Hash: 5F116D71D006098BDB08CFEED8446EEBBF6AFC9301F58D025D418A7255D770490A8E90

Function 06FBE0C0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d00d7897a487e097cad8d376c6932f3fe610ed19c5ab98d1daf2d13911c809
Instruction ID: 61b37255fabddcbc814e3025b2bf60220d22c4555b19706538ed5506c7b1ca94
Opcode Fuzzy Hash: f0d00d7897a487e097cad8d376c6932f3fe610ed19c5ab98d1daf2d13911c809
Instruction Fuzzy Hash: 0311A5313042549FD7051B7AAC585EBBAABAFDA350B188476E546C739ADD348C0A8371

Function 016BD4EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155726907.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16bd000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: a09855d83567b6b19ead99407c89e36801a33760260c98f30a610f7707fac4b4
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 7511AF76504244CFDB16CF54D9C4B56BF61FB84318F28C5A9D9090F257C33AD49ACBA1

Function 019A1F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42146425b620d1215ddb0608c58d8d6329a53d82e8bae197495d7a66e8368106
Instruction ID: 7504f80bc846b589df67966c74583bbb4b33a4b2333a3675b55b2580fead269e
Opcode Fuzzy Hash: 42146425b620d1215ddb0608c58d8d6329a53d82e8bae197495d7a66e8368106
Instruction Fuzzy Hash: EE21F474D0520A8FCB05EFA8E8454EDBFF5FF49300F00916AD809B7214EB305A49CBA1

Function 06FB2670 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a607fd570afaba13bca67f13d8b6622329083dc0c1b149cb69a3090f1eddc2
Instruction ID: 4dffc719fbf2e34c947f754fceb540f537fcbb1b1097a551d5dd64583c70e877
Opcode Fuzzy Hash: 31a607fd570afaba13bca67f13d8b6622329083dc0c1b149cb69a3090f1eddc2
Instruction Fuzzy Hash: 5B11ED72E002118FC790EB7CE408AAA3BF8EF89721B1041A9E50ACB311EB71DD018BD0

Function 06FB9350 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df1de654b95ca25695b9c3218ae7215cf0b184dd7f8aa661f7a072da72aaf3b6
Instruction ID: c720f89d9cabe7cbc0f22b8f38f4f51cefce399057d933977b79b841e232975f
Opcode Fuzzy Hash: df1de654b95ca25695b9c3218ae7215cf0b184dd7f8aa661f7a072da72aaf3b6
Instruction Fuzzy Hash: 5C1167B2800249DFDB10CF9AC944BDEBFF4EB48320F108419E614A7210C379A950CFA5

Function 06FB9999 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 857f180e840fca4a17ed1754a4db15a089ee08cec9d22fc71c4cc6f9dbefdce6
Instruction ID: 7b650748c7465befddec86ae3284f608db6d22ac9ada1aef602e753dc62d9987
Opcode Fuzzy Hash: 857f180e840fca4a17ed1754a4db15a089ee08cec9d22fc71c4cc6f9dbefdce6
Instruction Fuzzy Hash: 271153B6800249DFCB10CF99C944BDEBFF4EF48320F14842AE628A7260C379A550CFA0

Function 06FB8EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5fd03e98a6a0c944d409ab0a410c80934f414921530f7b393408ed03baec20
Instruction ID: 43ad972dc985b1ae9ebf52e7b93de81458690639eea237bdb731a2696db93e47
Opcode Fuzzy Hash: 8f5fd03e98a6a0c944d409ab0a410c80934f414921530f7b393408ed03baec20
Instruction Fuzzy Hash: 52113035F001498FEB04DFF9D850BDEBBB6AB88355F00A065F918E7349EB3099428B51

Function 019AE208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2935daf220ee1061eeea3073fb35742c1a7254649b55e131ac6f51e604e125
Instruction ID: 2a0d9b5c7c25cc2592af8c3214db186c35b14ea64c1846b840568ad6fed0950c
Opcode Fuzzy Hash: 2f2935daf220ee1061eeea3073fb35742c1a7254649b55e131ac6f51e604e125
Instruction Fuzzy Hash: D3114C70E002099FDB44DFB8D9906AEBBF6FB48300F00E5A9D0089B314EB345A498B81

Function 019A5607 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d246978e33c0afc39866d1c0d278a81f4c5e3a026af3d8a234b863355e503a1
Instruction ID: 707232a49bf02769ffa53324e9d43ff6be38e906ac78be304b227a9469704035
Opcode Fuzzy Hash: 7d246978e33c0afc39866d1c0d278a81f4c5e3a026af3d8a234b863355e503a1
Instruction Fuzzy Hash: 7C01F972B041156FEB159E58AC10AEE3FEBEFD9751B59802AF518C7280CA71CC16C7E1

Function 016CD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4155780030.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16cd000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 87d2a363227bf389374bc08155db796abf3de793e46260c53b34506b0a474179
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 5B11BB75504284CFDB12CF58C9C4B26BFA2FB84714F24C6AED8494B752C33AD44ACBA2

Function 019A1F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf765f5f735533b5984b59d5d33cfa240d84b5fd1426a5d5d9c9efa5c311ba2
Instruction ID: 2803d9eb893a1adc808412c1fc5a43177c1df9068899ca69a5d847eb17a64700
Opcode Fuzzy Hash: 8cf765f5f735533b5984b59d5d33cfa240d84b5fd1426a5d5d9c9efa5c311ba2
Instruction Fuzzy Hash: 9F214A74D0464A8FCB11EFA8D8485EEBFF5FF49310F1451AAD445BB264EB301A49CB91

Function 06FB25E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e2108e785c4cd461f3c31294d9310ed791dc130c632cdcb04776ebd9c9c670
Instruction ID: 9483900704cfb07caa7e6964a46d3ab4ca3cd5598645eb64a3374b5ad2cc4c22
Opcode Fuzzy Hash: 06e2108e785c4cd461f3c31294d9310ed791dc130c632cdcb04776ebd9c9c670
Instruction Fuzzy Hash: 8A01B671E002199FDF54EFBAD8046EEBBF5BF89200F50856AD419E7250E7389A018FD5

Function 019ADF08 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238711d8628c3f2dad3f767dd1dcd6f90da2b4f6332038f4ac378c65cdd41348
Instruction ID: a6c6a5d1d40a26b1e5dd77aa0e6d9c120f37b6fc50922c6314d86f966cb9319f
Opcode Fuzzy Hash: 238711d8628c3f2dad3f767dd1dcd6f90da2b4f6332038f4ac378c65cdd41348
Instruction Fuzzy Hash: 60F0E236D142448FDB10CAECBC151BBB7B8EB8A301F449425D608E3251D76495198AC1

Function 019AD449 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0846589b44f6216d991ba94523edb4513ae0ef3ba8784bc7e2feae7e727268d
Instruction ID: 4ca4b5946772d710e66547bcc25442d2b9cf1ec2be1ac1492e4ac5c892144901
Opcode Fuzzy Hash: f0846589b44f6216d991ba94523edb4513ae0ef3ba8784bc7e2feae7e727268d
Instruction Fuzzy Hash: DEF05C31D406058AD710D9ECBC096FAB3FDA786302F40B024C90CE31D1D770691A86C0

Function 06FB9760 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7db38537b5bd996034fcc9ae931ca1b860bad2ee09cc46f2780f5878c503f2f
Instruction ID: 41edbea6187db6668a3957b74eb00c4dd261de2ddab98f59b5acd8b2877c1f56
Opcode Fuzzy Hash: f7db38537b5bd996034fcc9ae931ca1b860bad2ee09cc46f2780f5878c503f2f
Instruction Fuzzy Hash: 1FF0B4323001187F8B055E999C419AF7EABFBCC210B00442DFA09C3350CE31881197A5

Function 019ADEB0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 313e0b2589bb41d6714d1bfb1b5d42126133e7c8ccf01072675d825f7f1e8b9b
Instruction ID: 9cf56744a3af8c93a2b83faf858073cffb9af196dda958b190679154863bfcbb
Opcode Fuzzy Hash: 313e0b2589bb41d6714d1bfb1b5d42126133e7c8ccf01072675d825f7f1e8b9b
Instruction Fuzzy Hash: FDF03A70A11125CFCB94EFBCC44495E7BF4AF0C21076144A9D509DB721EB30D9058BD0

Function 019A2010 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2493ab38ebc811dec74a182db9ff4609c53b852abe455d8de9537ed135d92103
Instruction ID: 2187bb823c0c3c9e760f0efe8e853bf264404395883738f63f39653e0cf42a48
Opcode Fuzzy Hash: 2493ab38ebc811dec74a182db9ff4609c53b852abe455d8de9537ed135d92103
Instruction Fuzzy Hash: 8BE09232D2476A5BCB029BB0DC004EEBB79EEA7224B444197D5686B042EB70654EC7A2

Function 019AD4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa5da075b224f2c0db903429ceec7cbb8b4f9ad480b825cf504f9b48d8c5571
Instruction ID: 8d7c647baf868e69dd6ef1840bdce67f511610baa2e69dcf024a6b9548b2e367
Opcode Fuzzy Hash: 0aa5da075b224f2c0db903429ceec7cbb8b4f9ad480b825cf504f9b48d8c5571
Instruction Fuzzy Hash: 9FE0DFE2D08144CAE3108BEA68260B8BFF0DDE32517C46487D08D8B969E614E21A9B51

Function 019A2020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ae413569db63f9bf205a942dccbd04d475c7297c6cfb667f0b22e1e1f00889
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 41ae413569db63f9bf205a942dccbd04d475c7297c6cfb667f0b22e1e1f00889
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 019A8258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 0dd68462765461d0211461af50d04278b0a0580bc981561cffd664c3dc217d70
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 32C08C3320C1282EA639108F7C40EB3BB8CC3C13F6A650137F95CE3200A8429C8401F8

Function 019AA70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b001208461b768be4a3d788a617e8543f85e5fc40512b8f8b05e59d0ffb08111
Instruction ID: f2158263613f5efa1cdff64e88068277c23cb8ed32f4256e051f4bf997615d59
Opcode Fuzzy Hash: b001208461b768be4a3d788a617e8543f85e5fc40512b8f8b05e59d0ffb08111
Instruction Fuzzy Hash: 12D0677AB41018DFCB049F99E8448DDB7B6FB9C221B148126E915A3265C631D921DB54

Function 019A5EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ae623ee1d16f6c57222c535b180c73be38335fc2d6f0c49458dca38f1d233d
Instruction ID: b40dd82a310f0542e2aae960a709ab7d03b830e0578e2688418cab3545e212ce
Opcode Fuzzy Hash: 91ae623ee1d16f6c57222c535b180c73be38335fc2d6f0c49458dca38f1d233d
Instruction Fuzzy Hash: 95D02B3065C3454FC701F334FD955543B3DFA90304F8045B4E8054E21AEB7C9C4A8792

Function 019AFBEB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 951b9e582fa635f146c803258439d375c14a0590d84fc1cc43ed422083443a56
Instruction ID: 517b91d618adf595643a514c8d4db9f398fab44be2a2e155212657df9b3ba067
Opcode Fuzzy Hash: 951b9e582fa635f146c803258439d375c14a0590d84fc1cc43ed422083443a56
Instruction Fuzzy Hash: 73D06C78D4412C8BCB20EFA8EA456ECB7B0EB9A300F0014E6990DB3610D7705AA48F91

Function 019A5EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71319afc69d14b1841e39ed71a7f330c4f0b2c1108e3c48199e0daa3fbef1367
Instruction ID: a9e48d6b067b6e5564fa95d31d62167c39030674b0f00e9c228590f306677b7a
Opcode Fuzzy Hash: 71319afc69d14b1841e39ed71a7f330c4f0b2c1108e3c48199e0daa3fbef1367
Instruction Fuzzy Hash: 3FC0123024430A4FC501F775FA855A5772EF6D0300F409530A4090A329EF785C8A4795

Non-executed Functions

Function 06FB2807 Relevance: 12.9, Strings: 10, Instructions: 389COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06FB2BEA
Hbq, xrefs: 06FB2869
PH^q, xrefs: 06FB2CE2
PH^q, xrefs: 06FB2DD7
PH^q, xrefs: 06FB2CF6
PH^q, xrefs: 06FB2DEB
PH^q, xrefs: 06FB2BFE
", xrefs: 06FB3087
PH^q, xrefs: 06FB2EE6
PH^q, xrefs: 06FB2ED2

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID: "$Hbq$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q
API String ID: 0-2450740202
Opcode ID: 337b59529781c93c0ea47667feea1e0f1a0915235b4414d0fc7d73349c7f8675
Instruction ID: ac1196733246338c6c2bf0e961dd3e6c10d7f3a474612ee78ca18ab4444bcee9
Opcode Fuzzy Hash: 337b59529781c93c0ea47667feea1e0f1a0915235b4414d0fc7d73349c7f8675
Instruction Fuzzy Hash: 4012B2B4E012188FDB58CF69C994BEDBBB2BF89300F1094A9D509A7364DB359E85CF50

Function 019AE528 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5vq, xrefs: 019AE643

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: .5vq
API String ID: 0-493797296
Opcode ID: 2aa20d111f407a160242c1b06bfa4110eb96fe97b927c8f6959ae4f58ea4c8bd
Instruction ID: 4300ffad04e1b13abaf5070092de298173647e58329369ae99df901088751e9b
Opcode Fuzzy Hash: 2aa20d111f407a160242c1b06bfa4110eb96fe97b927c8f6959ae4f58ea4c8bd
Instruction Fuzzy Hash: C052AB74E01228CFDB64DF69D884BADBBB6BB88300F5085E9D409A7354DB359E85CF90

Function 05EDC1F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d685d35b73b05def92fd496b661b08930eb1dd155332930aa946beb402d244f9
Instruction ID: 8d39936df870f0d6d266ddadacf7455289e5b4ecdab11f0696db20c97271441c
Opcode Fuzzy Hash: d685d35b73b05def92fd496b661b08930eb1dd155332930aa946beb402d244f9
Instruction Fuzzy Hash: 54C19D74E00218CFDB14DFA5D984BADBBB6BF88304F2091A9D409AB354DB359E86CF50

Function 05ED11C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef9ef98baa86e03aa1a2af9e1bad3e79e8ae6b283d40a2f2ac5a3491f8bf568
Instruction ID: cbb327cb572fbf8418982124d1f6c48c0154c4db970e786cb19d76559f72a8fc
Opcode Fuzzy Hash: cef9ef98baa86e03aa1a2af9e1bad3e79e8ae6b283d40a2f2ac5a3491f8bf568
Instruction Fuzzy Hash: 8DC19F74E00218CFDB18DFA5D984BADBBB6BF89300F1091A9D809A7354DB359E85CF50

Function 05EDF1B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6104a961ef0c954e423ac2f525b66445386b4ddc0eddbfac679e093ee304a5af
Instruction ID: 04689eac7416eace2353b9ffc44cfdc253573f04e3e3352db5a4d91edb2026e0
Opcode Fuzzy Hash: 6104a961ef0c954e423ac2f525b66445386b4ddc0eddbfac679e093ee304a5af
Instruction Fuzzy Hash: 5AC19E74E00218CFDB14DFA5D984BADBBB6BF88304F2091A9D419AB354DB359E85CF50

Function 05EDBD98 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b178908855865dd91626f1c5f30c66fa4e327f1c680f6e25d7e5dbcad7ad77b
Instruction ID: 1f5625fc0491460cbcb47257276526a01e1f96d418ff9ead1310c7cac516c3b8
Opcode Fuzzy Hash: 1b178908855865dd91626f1c5f30c66fa4e327f1c680f6e25d7e5dbcad7ad77b
Instruction Fuzzy Hash: ADC19D74E00218CFDB14DFA5D984BADBBB6BF88304F2091A9D809AB354DB359E85CF50

Function 05ED0D60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc046692a36fac9dc78d62b2470c82d37fc18466a8f6ede44f9bd4c4061bd56
Instruction ID: 3ed3e4a2232fe805f6e34eb7ed252f9b1be8da61ae7041f4c63f7e82d7cda187
Opcode Fuzzy Hash: 2cc046692a36fac9dc78d62b2470c82d37fc18466a8f6ede44f9bd4c4061bd56
Instruction Fuzzy Hash: 0DC19F74E00218CFDB14DFA5D944BADBBB6FB89300F2091A9D809A7355DB359E85CF50

Function 05EDED60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5183611abe74175c650bca0804148dfb0c154740ca1a9bac403a50e4995746b
Instruction ID: 093c5e5764fc48c2c088b27aa0bdcecc1ba3a9969d29c4859b5facd5e37400e4
Opcode Fuzzy Hash: e5183611abe74175c650bca0804148dfb0c154740ca1a9bac403a50e4995746b
Instruction Fuzzy Hash: 87C19E74E00218CFDB14DFA5D984BADBBB6BF88304F2091A9D809AB355DB359E85CF50

Function 05EDB940 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15efe459ff085ae7963c7c6693dbd8e5bdc850e13d883d83bd6dee4672e1667e
Instruction ID: 6319c80e41d4d4fcdcfac17aa94cc050fb8b4e7cb30522dae98e2192db109f9a
Opcode Fuzzy Hash: 15efe459ff085ae7963c7c6693dbd8e5bdc850e13d883d83bd6dee4672e1667e
Instruction Fuzzy Hash: F9C19F74E00218CFDB14DFA5D994BADBBB6FB88304F2090A9D409AB355DB359E85CF50

Function 05EDE908 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f655d344df9681a6b4e7969db32a0db8eee2b7ee7db409196d50f0f835e1df
Instruction ID: 585f1b7c9e56006f9c1049dd453216a0c33b6432cb1a251fa82d135bccca16b5
Opcode Fuzzy Hash: 11f655d344df9681a6b4e7969db32a0db8eee2b7ee7db409196d50f0f835e1df
Instruction Fuzzy Hash: 60C19D74E00218CFDB14DFA5D984BADBBB6BF88304F2091A9D809AB354DB359E85CF50

Function 05ED0900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d4f0df7da81e2d99e8ef65a6f31e7c92987c12c1f164c98b7f8a25dc12bb4c2
Instruction ID: 2bb0b36381637a190df445b4ee034208ec7f7de02c0d302b8ae148e2a792e4cb
Opcode Fuzzy Hash: 3d4f0df7da81e2d99e8ef65a6f31e7c92987c12c1f164c98b7f8a25dc12bb4c2
Instruction Fuzzy Hash: 3BC1AF74E00218CFDB14DFA5D988BADBBB6FB88304F2490A9D809A7354DB359E85CF50

Function 05EDB4E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b272c9b14aa5f8b6ac5b4fb0ecc9c4232e40e08c56af1f21bc788b1ae6c99483
Instruction ID: c7798791169393d2ab8b90d4c1e8b15c558e4cd92a113b6e8283edc650ed63b3
Opcode Fuzzy Hash: b272c9b14aa5f8b6ac5b4fb0ecc9c4232e40e08c56af1f21bc788b1ae6c99483
Instruction Fuzzy Hash: EEC1AD74E00218CFDB14DFA5D984BADBBB6FB88304F2091A9D409AB354EB359E85CF50

Function 05ED04A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c547de8642cf467f3ec33c334d1ade95e0db2399de2233a8e855ebe89c1b70
Instruction ID: d28e03a957515e82c998202ec7347716696eaa794917c698dcee8ae3a9806e0e
Opcode Fuzzy Hash: e0c547de8642cf467f3ec33c334d1ade95e0db2399de2233a8e855ebe89c1b70
Instruction Fuzzy Hash: BCC1AF74E00218CFDB54DFA5D948BADBBB6FB88300F2491A9D809A7354DB359E85CF50

Function 05EDE4B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf78c9e60bc2d9e3d2d07ca57081ccce8479e5acc26dca7ec8e16968d5fad35
Instruction ID: 1c96b2c40ae370750f92c7ed20d0674b949aa8a43a35c149f9080f2a795842d1
Opcode Fuzzy Hash: 0cf78c9e60bc2d9e3d2d07ca57081ccce8479e5acc26dca7ec8e16968d5fad35
Instruction Fuzzy Hash: 74C19D74E00218CFDB14DFA5D994BADBBB6BF88304F2091A9D409AB364DB359E85CF50

Function 05ED0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d3f450bc69381e563286336d0dc60c1c7a93ddd709cadb0736ba75e30a18f95
Instruction ID: 883c1a1b2223e1f752ac5ea58babad2752fda8bcd7bea3dac067e3ce61b05b68
Opcode Fuzzy Hash: 9d3f450bc69381e563286336d0dc60c1c7a93ddd709cadb0736ba75e30a18f95
Instruction Fuzzy Hash: 84C1AF74E00218CFDB14DFA5D988BADBBB6FB89300F1490A9D809AB355DB359D85CF50

Function 05EDE058 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f8a40444b7b5f10d10fb473843085e547df637b17c0306ac99b86d5e21e602
Instruction ID: 9690baf7a0c5023d9a52b2ddfed2bb94392c74e4e04256e35d47410427ef8cc8
Opcode Fuzzy Hash: d5f8a40444b7b5f10d10fb473843085e547df637b17c0306ac99b86d5e21e602
Instruction Fuzzy Hash: B6C19D74E00218CFDB14DFA5D984BADBBB6BF88304F2091A9D409AB365DB359E85CF50

Function 05EDDC00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caca6fe07ade0bd4586be654223fc670d74e97434fc15d7f0a3e425be382d3c9
Instruction ID: e9ac294ac6acdd487205482260832860d74b60444641145baaa2c2af0d0501f1
Opcode Fuzzy Hash: caca6fe07ade0bd4586be654223fc670d74e97434fc15d7f0a3e425be382d3c9
Instruction Fuzzy Hash: D5C18D74E00218CFDB14DFA5D994BADBBB6FB88304F2091A9D809AB354DB359E85CF50

Function 05EDD7A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b752a0c29029db838c8fc0a475a3ee562568c1905e4442a1e17e16214cfcdde
Instruction ID: 07b8fa78c4cd4487314dd090472d1cb3aecf3a2aab223c43b220985d78263823
Opcode Fuzzy Hash: 2b752a0c29029db838c8fc0a475a3ee562568c1905e4442a1e17e16214cfcdde
Instruction Fuzzy Hash: 78C19D74E00218CFDB14DFA5D984BADBBB6BF88304F2091A9D809AB354DB359E85CF50

Function 05EDD350 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 938d2aff7b47e247913593392a2123376594099655cfced33ed7b30dd4a1acfd
Instruction ID: 7c382f637c3e55160a0727cb51f45e422331067250080a6149afb747ff4a7c4b
Opcode Fuzzy Hash: 938d2aff7b47e247913593392a2123376594099655cfced33ed7b30dd4a1acfd
Instruction Fuzzy Hash: D2C19D74E00218CFDB54DFA5D994BADBBB6BB88304F2090A9D409AB364DB359E85CF50

Function 05EDCEF8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c2fb3c668011b2e480c52c24fc6b30254ab4b2a24d3bbf38734f54bc3cb06e
Instruction ID: 4d10cf3796b62918cb41f106f062e20226da087a4ffd88197305b1d4d490bc47
Opcode Fuzzy Hash: d2c2fb3c668011b2e480c52c24fc6b30254ab4b2a24d3bbf38734f54bc3cb06e
Instruction Fuzzy Hash: 56C19E74E00218CFDB14DFA5D994BADBBB6FB88304F2091A9D409AB364DB359E85CF50

Function 05EDFA68 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc44a6046e45a88c5c35923ad92a37b570ed213c945e5d49f95ac20a22a6a8ab
Instruction ID: 2c8bc4c8973d53fae7f3b9857f55c23150419a810fbc92d899119799c782abe4
Opcode Fuzzy Hash: fc44a6046e45a88c5c35923ad92a37b570ed213c945e5d49f95ac20a22a6a8ab
Instruction Fuzzy Hash: 77C1AD74E00218CFDB14DFA5D984BADBBB6BF88304F2090A9D819AB355DB359E85CF50

Function 05EDC648 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df52cf9a3377de253952965eb35215fb62aa7cb922c8b26e06c0f53a4491ee13
Instruction ID: 67f2acd259f17f433303c51d12ee5b85fc3cef9f01eba12ca684bb027cec3115
Opcode Fuzzy Hash: df52cf9a3377de253952965eb35215fb62aa7cb922c8b26e06c0f53a4491ee13
Instruction Fuzzy Hash: 09C19E74E00218CFDB54DFA5D994BADBBB6BF88304F2090A9D409AB354DB359E86CF50

Function 05EDF610 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efd9761e01e4b457468d14d9b8f73af61ae58a3d8509490125c467e615d243f4
Instruction ID: b91f4d239640baf38cc6e37e5817ad8197c3e84aa0509aba30970114de25934a
Opcode Fuzzy Hash: efd9761e01e4b457468d14d9b8f73af61ae58a3d8509490125c467e615d243f4
Instruction Fuzzy Hash: 78C19E74E00218CFDB14DFA5D984BADBBB6BF88304F2091A9D819AB354DB359E85CF50

Function 06FB5EC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0283e58ffd5bfa070940ed0dbddfe3b0cc7b417b27043ac462cc7f93c438c078
Instruction ID: 17fac3113a68639a0b6a91504c6b76b0f0dc6755751dec79616e59c0b9bee57f
Opcode Fuzzy Hash: 0283e58ffd5bfa070940ed0dbddfe3b0cc7b417b27043ac462cc7f93c438c078
Instruction Fuzzy Hash: A5C1AE74E00218CFEB54DFA5D984BADBBB6EF88304F2091A9D409AB354DB359E85CF50

Function 06FB5A70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b88b7a85795823f863dde1d027299b7951842948d57baa73408fa3918a4cfc2
Instruction ID: a1622a47f3c81561724b58206872d1f7f1c12fcad90f327c4eaf2a7c761ca1ee
Opcode Fuzzy Hash: 8b88b7a85795823f863dde1d027299b7951842948d57baa73408fa3918a4cfc2
Instruction Fuzzy Hash: D2C1AD74E00218CFDB54DFA5D984BADBBB6EF89304F2090A9D409AB364DB359E85CF50

Function 06FB5618 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44cb18fbcd2e2e2e20697f0d39b9d66544ee50292248aec22a7d19c10cb12512
Instruction ID: fa7cdf47662c6f6dbf6e0a0abd32b7a96f614744ba9e3647a3883e590b438571
Opcode Fuzzy Hash: 44cb18fbcd2e2e2e20697f0d39b9d66544ee50292248aec22a7d19c10cb12512
Instruction Fuzzy Hash: FFC19C74E00218CFDB54DFA5D984BADBBB6AF89300F2090A9D409AB364DB359E85CF50

Function 06FB6BD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aceb37348ea72e3ae52745b847a775a4441060d34f0d5e8310223c714711757a
Instruction ID: 62d664e478faacab4e838c24fc0e6771eab1104b961afbcf5034899d31c1911c
Opcode Fuzzy Hash: aceb37348ea72e3ae52745b847a775a4441060d34f0d5e8310223c714711757a
Instruction Fuzzy Hash: 87C19D74E00218CFDB54DFA5D984BADBBB6EF88304F2090A9D409AB364DB359E85CF50

Function 06FB6778 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c685330abfbcc3a798e33e97939adff3d6aa10acf56f2e128fb332b27052fbb6
Instruction ID: db9417c955152dd2223aa904cc781a61eef8b8a33d45f8b0be9a93d7c8651ff1
Opcode Fuzzy Hash: c685330abfbcc3a798e33e97939adff3d6aa10acf56f2e128fb332b27052fbb6
Instruction Fuzzy Hash: EBC1AD74E00218CFDB54DFA5D994BADBBB6EF88304F2090A9D409AB364DB359E85CF50

Function 06FB6320 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec226ecd0ff9c432574326975784524fd3de846e3b89f67c8797afd6f5b257b
Instruction ID: e44239832d44ef09c7c535cc22ca16f1e4b85fe00533bd89736a9e39cd8003f8
Opcode Fuzzy Hash: 9ec226ecd0ff9c432574326975784524fd3de846e3b89f67c8797afd6f5b257b
Instruction Fuzzy Hash: 7AC1AD74E00218CFDB54DFA5D994BADBBB6BF88304F2090A9D409AB358DB359E85CF50

Function 06FB08F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b99f2354a4ae078fc00890a59433b8782bb6ca4c8c8860a3bdeea3240e1bd2a5
Instruction ID: f0bc134cedcd7095c9a0110ead8293589b067c6fa04da966101610e022226e65
Opcode Fuzzy Hash: b99f2354a4ae078fc00890a59433b8782bb6ca4c8c8860a3bdeea3240e1bd2a5
Instruction Fuzzy Hash: 33C19E74E00218CFDB54DFA5D984BAEBBB6EB88304F2091A9D409AB354DB359E85CF50

Function 06FB74A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0285e2dc182d943a417eb5d89e86c99a4fd9ca7fb3496c44532000b01d16e486
Instruction ID: ae6c8d3145258b71e1e9cfe0fc22c7c95d11525eb72521032adf1fed8c3a984b
Opcode Fuzzy Hash: 0285e2dc182d943a417eb5d89e86c99a4fd9ca7fb3496c44532000b01d16e486
Instruction Fuzzy Hash: 64C1AD74E00218CFDB54DFA5D984BADBBB6EF88304F2090A9D809AB354DB359E85CF50

Function 06FB0498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa90aea7a40f9477f6ffb02f2a00b1f324f60353411664cbbf90f1227faf617a
Instruction ID: 6a72048d1a297495be919d2e743fa4f3f3c5a1f305af18aeea3686c363c263a7
Opcode Fuzzy Hash: aa90aea7a40f9477f6ffb02f2a00b1f324f60353411664cbbf90f1227faf617a
Instruction Fuzzy Hash: 5FC19F74E00218CFDB54DFA5D984BAEBBB6EF89304F2090A9D409AB354DB359E85CF50

Function 06FB7050 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb9beb57f08b2fc833494dc18e9cee7e9723fb7d9e0bdad2fd640d1c0084aaeb
Instruction ID: 69f4c97f99a7b50886c1ebaf25fbe30515a4c1a3986f999af83b21ad0085e6b9
Opcode Fuzzy Hash: fb9beb57f08b2fc833494dc18e9cee7e9723fb7d9e0bdad2fd640d1c0084aaeb
Instruction Fuzzy Hash: 37C19E74E00218CFDB54DFA5D984BADBBB6BF89304F2090A9D409AB364DB359E85CF50

Function 06FB0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b3168010ef2604cdf7255f9d41b4218d749f1c30e21d470cc1ef5be1334f0c
Instruction ID: 4a6540f668aa8a046b797f4ee857ce445d662cb50f83ec0e044529a812d77d60
Opcode Fuzzy Hash: 10b3168010ef2604cdf7255f9d41b4218d749f1c30e21d470cc1ef5be1334f0c
Instruction Fuzzy Hash: 5CC19E74E00218CFDB54DFA5D984BADBBB6BF88304F2090A9D409AB355DB359E85CF50

Function 06FB81B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8b94c580677f28effb90eaa1ab00b80907727ad2c4146e646d7219502b0ab4
Instruction ID: 10e0587ec18839b5fa10afece73e30ba06e6a4a23f948de29689691ba0470234
Opcode Fuzzy Hash: ac8b94c580677f28effb90eaa1ab00b80907727ad2c4146e646d7219502b0ab4
Instruction Fuzzy Hash: F9C19D74E00218CFDB54DFA5D994BADBBB6BF88300F2090A9D819AB354DB359E85CF50

Function 06FB5198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9fe52ba4f435f6a6b04a6a9170ac09de5e9c3ca82c11701d81a3c88e198bba4
Instruction ID: 6c33fce020a9c63888818543243a35a0bf76f190c52fc03bc3f9d9362518fc24
Opcode Fuzzy Hash: c9fe52ba4f435f6a6b04a6a9170ac09de5e9c3ca82c11701d81a3c88e198bba4
Instruction Fuzzy Hash: CCC1AD74E00218CFDB54DFA5D984BADBBB6EF88304F2091A9D409AB364DB359E85CF50

Function 06FB7D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b30092f1fa55000a797d3d25eccea7b61211fda706727d8b222c41f96bffa0
Instruction ID: 2add081e38deab527c7c58da15a5ffd52630f617a89818cda83b4465ba49a896
Opcode Fuzzy Hash: 01b30092f1fa55000a797d3d25eccea7b61211fda706727d8b222c41f96bffa0
Instruction Fuzzy Hash: 4EC1AE74E00218CFDB54DFA5D984BADBBB6EF88300F2090A9D419AB364DB359E85CF50

Function 06FB0D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c3e22a253e0ac188ef93c1934bbc02c10aec42bc26550e76eddc32070069ad8
Instruction ID: 59c4ee0de0f193f625630da93a1a69ceb138cfe225387581a677053e2c542697
Opcode Fuzzy Hash: 5c3e22a253e0ac188ef93c1934bbc02c10aec42bc26550e76eddc32070069ad8
Instruction Fuzzy Hash: 06C1AD74E00218CFDB54DFA5D994BADBBB6EF88300F2090A9D409AB364DB359E85CF50

Function 06FB7900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2207e4f4c8831a26e743ce72e3fb407049b422431a78aaa6bd4487eae770a6a6
Instruction ID: 6f8532c987e4a3c5de39e118de28995592d9b4f02d6f0dc3ed26509408fc6998
Opcode Fuzzy Hash: 2207e4f4c8831a26e743ce72e3fb407049b422431a78aaa6bd4487eae770a6a6
Instruction Fuzzy Hash: 07C19E74E00218CFDB54DFA5D984BADBBB6EF88300F2090A9D409AB354DB359E85CF50

Function 06FB33B8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d94378f77d8088baa5b8fc21a33b8ca5dec15cb2752ae6b25e4d17bc603601
Instruction ID: 99e8352885c7f0c88ccb7c8ceef4907c5e453f8002cda735848431af7043011f
Opcode Fuzzy Hash: c2d94378f77d8088baa5b8fc21a33b8ca5dec15cb2752ae6b25e4d17bc603601
Instruction Fuzzy Hash: E7B1A274E00218CFDB54DFA9D884A9DBBB2FF89300F2091A9D919AB365DB31AD41CF50

Function 05ED1620 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b67a62634e2c7e735fdb4a043988a4dc664e800e6f1e0b47bfd5be6462017e
Instruction ID: 0b41b323576cbbef901df05f791c17e1aa1c8e3a1a8efd11092e5646133d7160
Opcode Fuzzy Hash: 02b67a62634e2c7e735fdb4a043988a4dc664e800e6f1e0b47bfd5be6462017e
Instruction Fuzzy Hash: 01A10270E002088FEB14DFA8D998BDDFBB1BF89304F209269E449A73A1DB745985CF51

Function 05ED1966 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158116171.0000000005ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5ed0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf8013029464bb72696b13205b05ff3b61d6a61187b9c937097ee5154e35d1c
Instruction ID: cecd7916266dce0fde5b4c8654494ef3c2da3e7ae3bac4c9cf94dcb864048888
Opcode Fuzzy Hash: 7cf8013029464bb72696b13205b05ff3b61d6a61187b9c937097ee5154e35d1c
Instruction Fuzzy Hash: 2091F374D00208CFEB14DFA8D588BECBBB1FF49314F209269E449AB291DB749985CF64

Function 019AEB5B Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 841a087c3794386afd2bee734db906375d6f7d68d7d8fae454f39fbe778cc506
Instruction ID: de19dd1838285cf457935fa0eb42565ac06b2ab73ccc3198c91e135491da6572
Opcode Fuzzy Hash: 841a087c3794386afd2bee734db906375d6f7d68d7d8fae454f39fbe778cc506
Instruction Fuzzy Hash: 39A1AD74A01228CFDB64DF24D984BAABBB2BF49301F5085EAD40DA7354DB319E84CF51

Function 06FB33A8 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc3e14252137ae1cc9c0bf825736c031bfbceee9702d9d2cf35c73cc99da2c0c
Instruction ID: d0b008c735366f83bb4f008d9ac411a86c67c3ad52b36ff9009101e2971918ae
Opcode Fuzzy Hash: bc3e14252137ae1cc9c0bf825736c031bfbceee9702d9d2cf35c73cc99da2c0c
Instruction Fuzzy Hash: 9651A475E006088FDB48DFAAD884A9DBBF2FF8D310F149169E519AB364DB349942CF50

Function 019AED3C Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9956bf19a9a384d5ea96715356c31fb177d4b0b716284f9162612af70101f25
Instruction ID: 82664c7cb2741c0ef81d1ab0255a22cced51e5fd08a2e20d787f79af8ab80be6
Opcode Fuzzy Hash: b9956bf19a9a384d5ea96715356c31fb177d4b0b716284f9162612af70101f25
Instruction Fuzzy Hash: E0519D74A01228CFCB65DF24D894BAAB7B2BF4A301F5085E9D40EA7254DB319E85CF51

Function 06FB36CE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4158615978.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fb0000_Order Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d682575faadf8790822a3eff82bf5ab50fe5674585fa4d164f165f6e05efeafe
Instruction ID: 51049bd7bfe7e5d19bfc9db9da8808f4ddda5e60bb586b789f86eae3ef7cc439
Opcode Fuzzy Hash: d682575faadf8790822a3eff82bf5ab50fe5674585fa4d164f165f6e05efeafe
Instruction Fuzzy Hash: 6FD09235D4426DCACB60EFA9E8407EEB7B2FFD6300F4024A6C50CB7650D7309E558A96

Function 019A21E3 Relevance: 5.4, Strings: 4, Instructions: 427COMMON

Download Yara Rule

Strings

Xbq, xrefs: 019A2314
Xbq, xrefs: 019A220E
Xbq, xrefs: 019A22C7
Xbq, xrefs: 019A2248

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: f8848ec9722312e8773fc4c99b19cb2e621f92eff225a5898fae45241acab155
Instruction ID: 69c7d642107218d4d54ee99336739c098b29ca396a0839b7957e8b2f1af23a8e
Opcode Fuzzy Hash: f8848ec9722312e8773fc4c99b19cb2e621f92eff225a5898fae45241acab155
Instruction Fuzzy Hash: 6512493D881362CBCB185FF5994821EBE31BFC9310F99898A9454E62C9DD2FB585C3D2

Function 019A6088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 019A60C6
\;^q, xrefs: 019A60BA
\;^q, xrefs: 019A609E
\;^q, xrefs: 019A6094

Memory Dump Source

Source File: 00000001.00000002.4156202377.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_Order Details.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: 616950951fb523236adc6b8a48155151b6af59354ab4d63633e6e48963fece42
Instruction ID: 21922c11787ed4f9a53e2678f8e63e2fff2eceec2d7f3d2b3b8c1ac4a3020377
Opcode Fuzzy Hash: 616950951fb523236adc6b8a48155151b6af59354ab4d63633e6e48963fece42
Instruction Fuzzy Hash: EB01B1317800249FCB648E2EC444D2577FFAF88A61359457AE10ACB3B4DA72DC8987C0

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Order Details.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order Details.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
Order Details.exe

Function 027BAE48 Relevance: 1.9, Strings: 1, Instructions: 615
COMMON

Function 027B9F3C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Function 027BAA20 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Function 027B9F60 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Function 027BAB78 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Function 027BA8F8 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Function 027B9F48 Relevance: 1.6, APIs: 1, Instructions: 91
threadCOMMON

Function 027BAC98 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Function 00CFD4FC Relevance: .1, Instructions: 75
COMMON

Function 019A6730 Relevance: 5.5, Strings: 4, Instructions: 455
COMMON

Function 019A3573 Relevance: 2.9, Strings: 2, Instructions: 418
COMMON

Function 019AB328 Relevance: 2.9, Strings: 2, Instructions: 356
COMMON

Function 019AC470 Relevance: 2.7, Strings: 2, Instructions: 201
COMMON

Function 019AC753 Relevance: 2.7, Strings: 2, Instructions: 192
COMMON

Function 06FB8C51 Relevance: 2.7, Strings: 2, Instructions: 189
COMMON

Function 019A4AD9 Relevance: 2.7, Strings: 2, Instructions: 189
COMMON

Function 019AC190 Relevance: 2.7, Strings: 2, Instructions: 187
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre