Edit tour

Windows Analysis Report
order6566546663.exe

Overview

General Information

Sample name:	order6566546663.exe
Analysis ID:	1592378
MD5:	71bd2f038e92ae0e3b95a7567511458e
SHA1:	816293b2472e394288fc9c91bdff206ab8ef52e2
SHA256:	13ba4ee3d7accddd8dbce8e4bc4a623e0b7bf30350fe9d58f1c269cd744bb835
Tags:	exeSnakeKeyloggeruser-threatcat_ch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

order6566546663.exe (PID: 4512 cmdline: "C:\Users\user\Desktop\order6566546663.exe" MD5: 71BD2F038E92AE0E3B95A7567511458E)

order6566546663.exe (PID: 6976 cmdline: "C:\Users\user\Desktop\order6566546663.exe" MD5: 71BD2F038E92AE0E3B95A7567511458E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "frankichong@yulifertilizer.com.my", "Password": "Ayfc931319*", "Host": "yulifertilizer.com.my", "Port": "25", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1494c:$a1: get_encryptedPassword 0x14c38:$a2: get_encryptedUsername 0x14758:$a3: get_timePasswordChanged 0x14853:$a4: get_passwordField 0x14962:$a5: set_encryptedPassword 0x15fc5:$a7: get_logins 0x15f28:$a10: KeyLoggerEventArgs 0x15b93:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182e0:$x1: $%SMTPDV$ 0x18346:$x2: $#TheHashHere%& 0x199af:$x3: %FTPDV$ 0x19aa3:$x4: $%TelegramDv$ 0x15b93:$x5: KeyLoggerEventArgs 0x15f28:$x5: KeyLoggerEventArgs 0x199d3:$m2: Clipboard Logs ID 0x19bf3:$m2: Screenshot Logs ID 0x19d03:$m2: keystroke Logs ID 0x19fdd:$m3: SnakePW 0x19bcb:$m4: \SnakeKeylogger\
00000000.00000002.2027290884.0000000004E50000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x56d3c:$a1: get_encryptedPassword 0x7796c:$a1: get_encryptedPassword 0x9838c:$a1: get_encryptedPassword 0x57028:$a2: get_encryptedUsername 0x77c58:$a2: get_encryptedUsername 0x98678:$a2: get_encryptedUsername 0x56b48:$a3: get_timePasswordChanged 0x77778:$a3: get_timePasswordChanged 0x98198:$a3: get_timePasswordChanged 0x56c43:$a4: get_passwordField 0x77873:$a4: get_passwordField 0x98293:$a4: get_passwordField 0x56d52:$a5: set_encryptedPassword 0x77982:$a5: set_encryptedPassword 0x983a2:$a5: set_encryptedPassword 0x583b5:$a7: get_logins 0x78fe5:$a7: get_logins 0x99a05:$a7: get_logins 0x58318:$a10: KeyLoggerEventArgs 0x78f48:$a10: KeyLoggerEventArgs 0x99968:$a10: KeyLoggerEventArgs
00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x5a6d0:$x1: $%SMTPDV$ 0x7b300:$x1: $%SMTPDV$ 0x9bd20:$x1: $%SMTPDV$ 0x5a736:$x2: $#TheHashHere%& 0x7b366:$x2: $#TheHashHere%& 0x9bd86:$x2: $#TheHashHere%& 0x5bd9f:$x3: %FTPDV$ 0x7c9cf:$x3: %FTPDV$ 0x9d3ef:$x3: %FTPDV$ 0x5be93:$x4: $%TelegramDv$ 0x7cac3:$x4: $%TelegramDv$ 0x9d4e3:$x4: $%TelegramDv$ 0x57f83:$x5: KeyLoggerEventArgs 0x58318:$x5: KeyLoggerEventArgs 0x78bb3:$x5: KeyLoggerEventArgs 0x78f48:$x5: KeyLoggerEventArgs 0x995d3:$x5: KeyLoggerEventArgs 0x99968:$x5: KeyLoggerEventArgs 0x5bdc3:$m2: Clipboard Logs ID 0x5bfe3:$m2: Screenshot Logs ID 0x5c0f3:$m2: keystroke Logs ID
00000001.00000002.4500830132.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: order6566546663.exe PID: 4512	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: order6566546663.exe PID: 4512	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: order6566546663.exe PID: 4512	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: order6566546663.exe PID: 4512	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x71106:$a1: get_encryptedPassword 0x713e8:$a2: get_encryptedUsername 0x70f1c:$a3: get_timePasswordChanged 0x71017:$a4: get_passwordField 0x7111c:$a5: set_encryptedPassword 0x735f2:$a7: get_logins 0x73555:$a10: KeyLoggerEventArgs 0x731c0:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: order6566546663.exe PID: 4512	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x731c0:$x5: KeyLoggerEventArgs 0x73555:$x5: KeyLoggerEventArgs 0x73e5c:$x5: KeyLoggerEventArgs 0x741bd:$x5: KeyLoggerEventArgs 0x757da:$m2: Clipboard Logs ID 0x758d1:$m2: Screenshot Logs ID 0x75927:$m2: keystroke Logs ID 0x75a5c:$m3: SnakePW 0x758bd:$m4: \SnakeKeylogger\
Process Memory Space: order6566546663.exe PID: 6976	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: order6566546663.exe PID: 6976	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: order6566546663.exe PID: 6976	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f2fb:$a1: get_encryptedPassword 0x3f5dd:$a2: get_encryptedUsername 0x3f111:$a3: get_timePasswordChanged 0x3f20c:$a4: get_passwordField 0x3f311:$a5: set_encryptedPassword 0x417e7:$a7: get_logins 0x4174a:$a10: KeyLoggerEventArgs 0x413b5:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: order6566546663.exe PID: 6976	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x413b5:$x5: KeyLoggerEventArgs 0x4174a:$x5: KeyLoggerEventArgs 0x42051:$x5: KeyLoggerEventArgs 0x423b2:$x5: KeyLoggerEventArgs 0x439cf:$m2: Clipboard Logs ID 0x43ac6:$m2: Screenshot Logs ID 0x43b1c:$m2: keystroke Logs ID 0x43c51:$m3: SnakePW 0x43ab2:$m4: \SnakeKeylogger\
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.order6566546663.exe.4e50000.5.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
0.2.order6566546663.exe.3853f90.2.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ae6b:$x1: In$J$ct0r
0.2.order6566546663.exe.3853f90.2.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4906b:$x1: In$J$ct0r
0.2.order6566546663.exe.4e50000.5.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4906b:$x1: In$J$ct0r
0.2.order6566546663.exe.3908e20.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.order6566546663.exe.3908e20.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.order6566546663.exe.3908e20.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d4c:$a1: get_encryptedPassword 0x13038:$a2: get_encryptedUsername 0x12b58:$a3: get_timePasswordChanged 0x12c53:$a4: get_passwordField 0x12d62:$a5: set_encryptedPassword 0x143c5:$a7: get_logins 0x14328:$a10: KeyLoggerEventArgs 0x13f93:$a11: KeyLoggerEventArgsEventHandler
0.2.order6566546663.exe.3908e20.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a7ad:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x199df:$a3: \Google\Chrome\User Data\Default\Login Data 0x19e12:$a4: \Orbitum\User Data\Default\Login Data 0x1ae51:$a5: \Kometa\User Data\Default\Login Data
0.2.order6566546663.exe.3908e20.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1391a:$s1: UnHook 0x13921:$s2: SetHook 0x13929:$s3: CallNextHook 0x13936:$s4: _hook
0.2.order6566546663.exe.3908e20.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x166e0:$x1: $%SMTPDV$ 0x16746:$x2: $#TheHashHere%& 0x17daf:$x3: %FTPDV$ 0x17ea3:$x4: $%TelegramDv$ 0x13f93:$x5: KeyLoggerEventArgs 0x14328:$x5: KeyLoggerEventArgs 0x17dd3:$m2: Clipboard Logs ID 0x17ff3:$m2: Screenshot Logs ID 0x18103:$m2: keystroke Logs ID 0x183dd:$m3: SnakePW 0x17fcb:$m4: \SnakeKeylogger\
0.2.order6566546663.exe.38e81f0.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.order6566546663.exe.38e81f0.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.order6566546663.exe.38e81f0.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d4c:$a1: get_encryptedPassword 0x13038:$a2: get_encryptedUsername 0x12b58:$a3: get_timePasswordChanged 0x12c53:$a4: get_passwordField 0x12d62:$a5: set_encryptedPassword 0x143c5:$a7: get_logins 0x14328:$a10: KeyLoggerEventArgs 0x13f93:$a11: KeyLoggerEventArgsEventHandler
0.2.order6566546663.exe.38e81f0.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a7ad:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x199df:$a3: \Google\Chrome\User Data\Default\Login Data 0x19e12:$a4: \Orbitum\User Data\Default\Login Data 0x1ae51:$a5: \Kometa\User Data\Default\Login Data
0.2.order6566546663.exe.38e81f0.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1391a:$s1: UnHook 0x13921:$s2: SetHook 0x13929:$s3: CallNextHook 0x13936:$s4: _hook
0.2.order6566546663.exe.38e81f0.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x166e0:$x1: $%SMTPDV$ 0x16746:$x2: $#TheHashHere%& 0x17daf:$x3: %FTPDV$ 0x17ea3:$x4: $%TelegramDv$ 0x13f93:$x5: KeyLoggerEventArgs 0x14328:$x5: KeyLoggerEventArgs 0x17dd3:$m2: Clipboard Logs ID 0x17ff3:$m2: Screenshot Logs ID 0x18103:$m2: keystroke Logs ID 0x183dd:$m3: SnakePW 0x17fcb:$m4: \SnakeKeylogger\
1.2.order6566546663.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.order6566546663.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.order6566546663.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.order6566546663.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b4c:$a1: get_encryptedPassword 0x14e38:$a2: get_encryptedUsername 0x14958:$a3: get_timePasswordChanged 0x14a53:$a4: get_passwordField 0x14b62:$a5: set_encryptedPassword 0x161c5:$a7: get_logins 0x16128:$a10: KeyLoggerEventArgs 0x15d93:$a11: KeyLoggerEventArgsEventHandler
1.2.order6566546663.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5ad:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7df:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc12:$a4: \Orbitum\User Data\Default\Login Data 0x1cc51:$a5: \Kometa\User Data\Default\Login Data
1.2.order6566546663.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1571a:$s1: UnHook 0x15721:$s2: SetHook 0x15729:$s3: CallNextHook 0x15736:$s4: _hook
1.2.order6566546663.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x184e0:$x1: $%SMTPDV$ 0x18546:$x2: $#TheHashHere%& 0x19baf:$x3: %FTPDV$ 0x19ca3:$x4: $%TelegramDv$ 0x15d93:$x5: KeyLoggerEventArgs 0x16128:$x5: KeyLoggerEventArgs 0x19bd3:$m2: Clipboard Logs ID 0x19df3:$m2: Screenshot Logs ID 0x19f03:$m2: keystroke Logs ID 0x1a1dd:$m3: SnakePW 0x19dcb:$m4: \SnakeKeylogger\
0.2.order6566546663.exe.3908e20.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.order6566546663.exe.3908e20.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.order6566546663.exe.3908e20.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.order6566546663.exe.3908e20.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b4c:$a1: get_encryptedPassword 0x3556c:$a1: get_encryptedPassword 0x14e38:$a2: get_encryptedUsername 0x35858:$a2: get_encryptedUsername 0x14958:$a3: get_timePasswordChanged 0x35378:$a3: get_timePasswordChanged 0x14a53:$a4: get_passwordField 0x35473:$a4: get_passwordField 0x14b62:$a5: set_encryptedPassword 0x35582:$a5: set_encryptedPassword 0x161c5:$a7: get_logins 0x36be5:$a7: get_logins 0x16128:$a10: KeyLoggerEventArgs 0x36b48:$a10: KeyLoggerEventArgs 0x15d93:$a11: KeyLoggerEventArgsEventHandler 0x367b3:$a11: KeyLoggerEventArgsEventHandler
0.2.order6566546663.exe.3908e20.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5ad:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cfcd:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7df:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c1ff:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc12:$a4: \Orbitum\User Data\Default\Login Data 0x3c632:$a4: \Orbitum\User Data\Default\Login Data 0x1cc51:$a5: \Kometa\User Data\Default\Login Data 0x3d671:$a5: \Kometa\User Data\Default\Login Data
0.2.order6566546663.exe.3908e20.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1571a:$s1: UnHook 0x3613a:$s1: UnHook 0x15721:$s2: SetHook 0x36141:$s2: SetHook 0x15729:$s3: CallNextHook 0x36149:$s3: CallNextHook 0x15736:$s4: _hook 0x36156:$s4: _hook
0.2.order6566546663.exe.3908e20.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x184e0:$x1: $%SMTPDV$ 0x38f00:$x1: $%SMTPDV$ 0x18546:$x2: $#TheHashHere%& 0x38f66:$x2: $#TheHashHere%& 0x19baf:$x3: %FTPDV$ 0x3a5cf:$x3: %FTPDV$ 0x19ca3:$x4: $%TelegramDv$ 0x3a6c3:$x4: $%TelegramDv$ 0x15d93:$x5: KeyLoggerEventArgs 0x16128:$x5: KeyLoggerEventArgs 0x367b3:$x5: KeyLoggerEventArgs 0x36b48:$x5: KeyLoggerEventArgs 0x19bd3:$m2: Clipboard Logs ID 0x19df3:$m2: Screenshot Logs ID 0x19f03:$m2: keystroke Logs ID 0x3a5f3:$m2: Clipboard Logs ID 0x3a813:$m2: Screenshot Logs ID 0x3a923:$m2: keystroke Logs ID 0x1a1dd:$m3: SnakePW 0x3abfd:$m3: SnakePW 0x19dcb:$m4: \SnakeKeylogger\
0.2.order6566546663.exe.280f744.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xcc0e8:$x1: In$J$ct0r 0xcddcc:$a1: WriteProcessMemory 0xcde58:$a1: WriteProcessMemory 0xcdf2c:$a4: VirtualAllocEx 0xce150:$a4: VirtualAllocEx 0xce1d0:$a4: VirtualAllocEx 0x10cf0:$s3: net.pipe 0xcc39c:$s3: net.pipe 0xcc3bc:$s4: vsmacros
0.2.order6566546663.exe.38e81f0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.order6566546663.exe.38e81f0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.order6566546663.exe.38e81f0.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.order6566546663.exe.38e81f0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b4c:$a1: get_encryptedPassword 0x3577c:$a1: get_encryptedPassword 0x5619c:$a1: get_encryptedPassword 0x14e38:$a2: get_encryptedUsername 0x35a68:$a2: get_encryptedUsername 0x56488:$a2: get_encryptedUsername 0x14958:$a3: get_timePasswordChanged 0x35588:$a3: get_timePasswordChanged 0x55fa8:$a3: get_timePasswordChanged 0x14a53:$a4: get_passwordField 0x35683:$a4: get_passwordField 0x560a3:$a4: get_passwordField 0x14b62:$a5: set_encryptedPassword 0x35792:$a5: set_encryptedPassword 0x561b2:$a5: set_encryptedPassword 0x161c5:$a7: get_logins 0x36df5:$a7: get_logins 0x57815:$a7: get_logins 0x16128:$a10: KeyLoggerEventArgs 0x36d58:$a10: KeyLoggerEventArgs 0x57778:$a10: KeyLoggerEventArgs
0.2.order6566546663.exe.38e81f0.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c5ad:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d1dd:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5dbfd:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b7df:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c40f:$a3: \Google\Chrome\User Data\Default\Login Data 0x5ce2f:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bc12:$a4: \Orbitum\User Data\Default\Login Data 0x3c842:$a4: \Orbitum\User Data\Default\Login Data 0x5d262:$a4: \Orbitum\User Data\Default\Login Data 0x1cc51:$a5: \Kometa\User Data\Default\Login Data 0x3d881:$a5: \Kometa\User Data\Default\Login Data 0x5e2a1:$a5: \Kometa\User Data\Default\Login Data
0.2.order6566546663.exe.38e81f0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1571a:$s1: UnHook 0x3634a:$s1: UnHook 0x56d6a:$s1: UnHook 0x15721:$s2: SetHook 0x36351:$s2: SetHook 0x56d71:$s2: SetHook 0x15729:$s3: CallNextHook 0x36359:$s3: CallNextHook 0x56d79:$s3: CallNextHook 0x15736:$s4: _hook 0x36366:$s4: _hook 0x56d86:$s4: _hook
0.2.order6566546663.exe.38e81f0.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x184e0:$x1: $%SMTPDV$ 0x39110:$x1: $%SMTPDV$ 0x59b30:$x1: $%SMTPDV$ 0x18546:$x2: $#TheHashHere%& 0x39176:$x2: $#TheHashHere%& 0x59b96:$x2: $#TheHashHere%& 0x19baf:$x3: %FTPDV$ 0x3a7df:$x3: %FTPDV$ 0x5b1ff:$x3: %FTPDV$ 0x19ca3:$x4: $%TelegramDv$ 0x3a8d3:$x4: $%TelegramDv$ 0x5b2f3:$x4: $%TelegramDv$ 0x15d93:$x5: KeyLoggerEventArgs 0x16128:$x5: KeyLoggerEventArgs 0x369c3:$x5: KeyLoggerEventArgs 0x36d58:$x5: KeyLoggerEventArgs 0x573e3:$x5: KeyLoggerEventArgs 0x57778:$x5: KeyLoggerEventArgs 0x19bd3:$m2: Clipboard Logs ID 0x19df3:$m2: Screenshot Logs ID 0x19f03:$m2: keystroke Logs ID
0.2.order6566546663.exe.2811f84.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xc98a8:$x1: In$J$ct0r 0xcb58c:$a1: WriteProcessMemory 0xcb618:$a1: WriteProcessMemory 0xcb6ec:$a4: VirtualAllocEx 0xcb910:$a4: VirtualAllocEx 0xcb990:$a4: VirtualAllocEx 0xe4b0:$s3: net.pipe 0xc9b5c:$s3: net.pipe 0xc9b7c:$s4: vsmacros
Click to see the 34 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T02:24:59.421667+0100	2803305	3	Unknown Traffic	192.168.2.5	49706	104.21.48.1	443	TCP
2025-01-16T02:25:09.880761+0100	2803305	3	Unknown Traffic	192.168.2.5	49710	104.21.48.1	443	TCP
2025-01-16T02:25:24.186998+0100	2803305	3	Unknown Traffic	192.168.2.5	49764	104.21.16.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T02:24:57.246624+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	132.226.247.73	80	TCP
2025-01-16T02:24:58.653281+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	132.226.247.73	80	TCP
2025-01-16T02:25:00.152941+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49707	132.226.247.73	80	TCP
2025-01-16T02:25:09.309392+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49709	132.226.247.73	80	TCP
2025-01-16T02:25:23.559296+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49711	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: order6566546663.exe

Avira: detected

Found malware configuration

Source: 00000001.00000002.4500830132.0000000002E41000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "frankichong@yulifertilizer.com.my", "Password": "Ayfc931319*", "Host": "yulifertilizer.com.my", "Port": "25", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: order6566546663.exe	Virustotal: Detection: 51%			Perma Link
Source: order6566546663.exe	ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: order6566546663.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: order6566546663.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49705 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49706 version: TLS 1.0

Source: order6566546663.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: order6566546663.exe, 00000000.00000002.2027706449.0000000004F60000.00000004.08000000.00040000.00000000.sdmp, order6566546663.exe, 00000000.00000002.2026923988.0000000002801000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 02C8F1F6h	1_2_02C8F007
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 02C8FB80h	1_2_02C8F007
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_02C8E528
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AE1A38h	1_2_06AE1620
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AE02F1h	1_2_06AE0040
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AEE301h	1_2_06AEE058
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AE1471h	1_2_06AE11C0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AECD49h	1_2_06AECAA0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AED1A1h	1_2_06AECEF8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AE1A38h	1_2_06AE1617
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AEF8B9h	1_2_06AEF610
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AEFD11h	1_2_06AEFA68
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AEC8F1h	1_2_06AEC648
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AEDA51h	1_2_06AED7A8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AED5F9h	1_2_06AED350
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AE0751h	1_2_06AE04A0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AEE759h	1_2_06AEE4B0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AEB791h	1_2_06AEB4E8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AEDEA9h	1_2_06AEDC00
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AEF461h	1_2_06AEF1B8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AEC041h	1_2_06AEBD98
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AEC499h	1_2_06AEC1F0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AEEBB1h	1_2_06AEE908
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AE0BB1h	1_2_06AE0900
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AE1A38h	1_2_06AE1966
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AE1011h	1_2_06AE0D60
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AEF009h	1_2_06AEED60
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06AEBBE9h	1_2_06AEB940
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06B18945h	1_2_06B18608
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06B16171h	1_2_06B15EC8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_06B136CE
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06B158C1h	1_2_06B15618
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06B15D19h	1_2_06B15A70
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_06B133B8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_06B133A8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06B16E79h	1_2_06B16BD0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06B165C9h	1_2_06B16320
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06B16A21h	1_2_06B16778
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06B17751h	1_2_06B174A8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06B10741h	1_2_06B10498
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06B10B99h	1_2_06B108F0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06B172FAh	1_2_06B17050
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06B102E9h	1_2_06B10040
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06B18459h	1_2_06B181B0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06B15441h	1_2_06B15198
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06B17BA9h	1_2_06B17900
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06B18001h	1_2_06B17D58
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 4x nop then jmp 06B10FF1h	1_2_06B10D48

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49709 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49711 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49710 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49764 -> 104.21.16.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49705 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49706 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: order6566546663.exe, 00000001.00000002.4500830132.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: order6566546663.exe, 00000001.00000002.4500830132.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: order6566546663.exe, 00000001.00000002.4500830132.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: order6566546663.exe, 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: order6566546663.exe, 00000001.00000002.4500830132.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: order6566546663.exe, 00000001.00000002.4500830132.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: order6566546663.exe, 00000001.00000002.4500830132.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: order6566546663.exe, 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: order6566546663.exe, 00000001.00000002.4500830132.0000000002F46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: order6566546663.exe, 00000001.00000002.4500830132.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.order6566546663.exe.4e50000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.order6566546663.exe.3853f90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.order6566546663.exe.3853f90.2.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.order6566546663.exe.4e50000.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.order6566546663.exe.280f744.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.order6566546663.exe.2811f84.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2027290884.0000000004E50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: order6566546663.exe PID: 4512, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: order6566546663.exe PID: 4512, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: order6566546663.exe PID: 6976, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: order6566546663.exe PID: 6976, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: order6566546663.exe

Source: C:\Users\user\Desktop\order6566546663.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 0_2_00E0AE48	0_2_00E0AE48
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_02C8B328	1_2_02C8B328
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_02C8F007	1_2_02C8F007
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_02C8C193	1_2_02C8C193
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_02C86148	1_2_02C86148
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_02C8C751	1_2_02C8C751
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_02C86730	1_2_02C86730
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_02C8C470	1_2_02C8C470
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_02C84AD9	1_2_02C84AD9
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_02C8CA31	1_2_02C8CA31
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_02C8BBD3	1_2_02C8BBD3
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_02C8BEB7	1_2_02C8BEB7
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_02C8CD10	1_2_02C8CD10
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_02C8B4F3	1_2_02C8B4F3
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_02C83570	1_2_02C83570
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_02C8E528	1_2_02C8E528
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_02C8E523	1_2_02C8E523
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AE8460	1_2_06AE8460
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AE3870	1_2_06AE3870
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AE0040	1_2_06AE0040
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEE058	1_2_06AEE058
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AE7D90	1_2_06AE7D90
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AE11C0	1_2_06AE11C0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AECAA0	1_2_06AECAA0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AECA9D	1_2_06AECA9D
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AECEF8	1_2_06AECEF8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AECEF5	1_2_06AECEF5
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEC638	1_2_06AEC638
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEF600	1_2_06AEF600
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEF610	1_2_06AEF610
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEFA68	1_2_06AEFA68
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEC648	1_2_06AEC648
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEFA59	1_2_06AEFA59
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AED7A8	1_2_06AED7A8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AED798	1_2_06AED798
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AE73E8	1_2_06AE73E8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AE73E7	1_2_06AE73E7
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEDBF1	1_2_06AEDBF1
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AED349	1_2_06AED349
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AED350	1_2_06AED350
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AE04A0	1_2_06AE04A0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEE4A0	1_2_06AEE4A0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEE4B0	1_2_06AEE4B0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AE0490	1_2_06AE0490
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEB4E8	1_2_06AEB4E8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEB4E5	1_2_06AEB4E5
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AE08FC	1_2_06AE08FC
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AE0033	1_2_06AE0033
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEDC00	1_2_06AEDC00
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AE386F	1_2_06AE386F
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEE049	1_2_06AEE049
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AE11BB	1_2_06AE11BB
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEF1B8	1_2_06AEF1B8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEF1B5	1_2_06AEF1B5
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEBD88	1_2_06AEBD88
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEBD98	1_2_06AEBD98
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEC1E0	1_2_06AEC1E0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEC1F0	1_2_06AEC1F0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEB930	1_2_06AEB930
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEE908	1_2_06AEE908
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AE0900	1_2_06AE0900
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEE901	1_2_06AEE901
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AE0D60	1_2_06AE0D60
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEED60	1_2_06AEED60
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEB940	1_2_06AEB940
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AEED5D	1_2_06AEED5D
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AE0D5B	1_2_06AE0D5B
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1B6E8	1_2_06B1B6E8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B18608	1_2_06B18608
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1D670	1_2_06B1D670
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1AA58	1_2_06B1AA58
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1C388	1_2_06B1C388
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B18BF2	1_2_06B18BF2
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1B0A0	1_2_06B1B0A0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1D028	1_2_06B1D028
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1A408	1_2_06B1A408
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B111A0	1_2_06B111A0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1C9D8	1_2_06B1C9D8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1BD38	1_2_06B1BD38
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B15EB8	1_2_06B15EB8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1B6E7	1_2_06B1B6E7
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B15EC8	1_2_06B15EC8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B15615	1_2_06B15615
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B15618	1_2_06B15618
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B18602	1_2_06B18602
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B15A70	1_2_06B15A70
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B15A60	1_2_06B15A60
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1D662	1_2_06B1D662
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1AA4E	1_2_06B1AA4E
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B133B8	1_2_06B133B8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B133A8	1_2_06B133A8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1C387	1_2_06B1C387
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1A3FE	1_2_06B1A3FE
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B16BD0	1_2_06B16BD0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B16BC9	1_2_06B16BC9
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B13730	1_2_06B13730
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B16320	1_2_06B16320
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B16319	1_2_06B16319
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B16778	1_2_06B16778
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1676A	1_2_06B1676A
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B128B0	1_2_06B128B0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B174A5	1_2_06B174A5
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B174A8	1_2_06B174A8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B10495	1_2_06B10495
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B10498	1_2_06B10498
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1B09F	1_2_06B1B09F
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B178F0	1_2_06B178F0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B108F0	1_2_06B108F0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B108ED	1_2_06B108ED
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1B6E8	1_2_06B1B6E8
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B14430	1_2_06B14430
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1003D	1_2_06B1003D
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1D027	1_2_06B1D027
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B12807	1_2_06B12807
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B12809	1_2_06B12809
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B17050	1_2_06B17050
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B10040	1_2_06B10040
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B17049	1_2_06B17049
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B181B0	1_2_06B181B0
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B181AD	1_2_06B181AD
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B11191	1_2_06B11191
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B15198	1_2_06B15198
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1518E	1_2_06B1518E
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1C9D7	1_2_06B1C9D7
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B1BD37	1_2_06B1BD37
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B10D39	1_2_06B10D39
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B17900	1_2_06B17900
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B17D51	1_2_06B17D51
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B17D58	1_2_06B17D58
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06B10D48	1_2_06B10D48

Source: order6566546663.exe, 00000000.00000002.2027706449.0000000004F60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs order6566546663.exe
Source: order6566546663.exe, 00000000.00000002.2027017019.0000000003805000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs order6566546663.exe
Source: order6566546663.exe, 00000000.00000002.2027290884.0000000004E50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs order6566546663.exe
Source: order6566546663.exe, 00000000.00000000.2021846884.0000000000422000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBladeNoPa.exe4 vs order6566546663.exe
Source: order6566546663.exe, 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs order6566546663.exe
Source: order6566546663.exe, 00000000.00000002.2024514112.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs order6566546663.exe
Source: order6566546663.exe, 00000000.00000002.2026923988.0000000002801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs order6566546663.exe
Source: order6566546663.exe, 00000000.00000002.2026923988.0000000002801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs order6566546663.exe
Source: order6566546663.exe, 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs order6566546663.exe
Source: order6566546663.exe, 00000001.00000002.4499926157.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs order6566546663.exe
Source: order6566546663.exe	Binary or memory string: OriginalFilenameBladeNoPa.exe4 vs order6566546663.exe

Source: order6566546663.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.order6566546663.exe.4e50000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.order6566546663.exe.3853f90.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.order6566546663.exe.3853f90.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.order6566546663.exe.4e50000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.order6566546663.exe.280f744.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.order6566546663.exe.2811f84.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2027290884.0000000004E50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: order6566546663.exe PID: 4512, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: order6566546663.exe PID: 4512, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: order6566546663.exe PID: 6976, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: order6566546663.exe PID: 6976, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/3

Source: C:\Users\user\Desktop\order6566546663.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order6566546663.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\order6566546663.exe

Mutant created: NULL

Source: order6566546663.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: order6566546663.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\order6566546663.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: order6566546663.exe, 00000001.00000002.4500830132.0000000003083000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4501829243.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.00000000030C5000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000003091000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000003073000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: order6566546663.exe	Virustotal: Detection: 51%
Source: order6566546663.exe	ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\order6566546663.exe "C:\Users\user\Desktop\order6566546663.exe"
Source: C:\Users\user\Desktop\order6566546663.exe	Process created: C:\Users\user\Desktop\order6566546663.exe "C:\Users\user\Desktop\order6566546663.exe"
Source: C:\Users\user\Desktop\order6566546663.exe	Process created: C:\Users\user\Desktop\order6566546663.exe "C:\Users\user\Desktop\order6566546663.exe"	Jump to behavior

Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\order6566546663.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\order6566546663.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\order6566546663.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: order6566546663.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: order6566546663.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: order6566546663.exe

Static PE information: 0xDA00EF84 [Sun Nov 25 02:40:04 2085 UTC]

Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AE2E78 push esp; iretd	1_2_06AE2E79
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AE6F8B push es; ret	1_2_06AE6FE4
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AE6F13 push es; ret	1_2_06AE6FE4
Source: C:\Users\user\Desktop\order6566546663.exe	Code function: 1_2_06AE7059 push es; iretd	1_2_06AE705C

Source: order6566546663.exe

Static PE information: section name: .text entropy: 7.212572916537044

Source: C:\Users\user\Desktop\order6566546663.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: order6566546663.exe PID: 4512, type: MEMORYSTR

Source: C:\Users\user\Desktop\order6566546663.exe	Memory allocated: E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Memory allocated: 4800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Memory allocated: 2C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Memory allocated: 2E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Memory allocated: 4E40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 598464	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 597919	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 597749	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 597638	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 597530	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 597347	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 597214	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 596983	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 596435	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 595561	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 595337	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 595124	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 594892	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 594513	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 594288	Jump to behavior

Source: C:\Users\user\Desktop\order6566546663.exe	Window / User API: threadDelayed 8220			Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Window / User API: threadDelayed 1632			Jump to behavior

Source: C:\Users\user\Desktop\order6566546663.exe TID: 1968	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 5168	Thread sleep count: 8220 > 30	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 5168	Thread sleep count: 1632 > 30	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -598464s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -597919s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -597749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -597638s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -597530s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -597347s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -597214s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -596983s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -596547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -596435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -595561s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -595337s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -595124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -594892s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -594766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -594513s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -594406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe TID: 4196	Thread sleep time: -594288s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 598464	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 597919	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 597749	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 597638	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 597530	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 597347	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 597214	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 596983	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 596435	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 595561	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 595337	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 595124	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 594892	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 594513	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Thread delayed: delay time: 594288	Jump to behavior

Source: order6566546663.exe, 00000001.00000002.4500046974.000000000113A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ

Source: C:\Users\user\Desktop\order6566546663.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\order6566546663.exe

Code function: 1_2_06AE7D90 LdrInitializeThunk,

1_2_06AE7D90

Source: C:\Users\user\Desktop\order6566546663.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\order6566546663.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\order6566546663.exe

Memory written: C:\Users\user\Desktop\order6566546663.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\order6566546663.exe

Process created: C:\Users\user\Desktop\order6566546663.exe "C:\Users\user\Desktop\order6566546663.exe"

Jump to behavior

Source: C:\Users\user\Desktop\order6566546663.exe	Queries volume information: C:\Users\user\Desktop\order6566546663.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Queries volume information: C:\Users\user\Desktop\order6566546663.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\order6566546663.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4500830132.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: order6566546663.exe PID: 4512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: order6566546663.exe PID: 6976, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\order6566546663.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\order6566546663.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\order6566546663.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: order6566546663.exe PID: 4512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: order6566546663.exe PID: 6976, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.order6566546663.exe.3908e20.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order6566546663.exe.38e81f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.order6566546663.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order6566546663.exe.3908e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order6566546663.exe.38e81f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4500830132.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: order6566546663.exe PID: 4512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: order6566546663.exe PID: 6976, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
order6566546663.exe	51%	Virustotal		Browse
order6566546663.exe	39%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
order6566546663.exe	100%	Avira	HEUR/AGEN.1311171
order6566546663.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.48.1	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	order6566546663.exe, 00000001.00000002.4500830132.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F46000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	order6566546663.exe, 00000001.00000002.4500830132.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F46000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	order6566546663.exe, 00000001.00000002.4500830132.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	order6566546663.exe, 00000001.00000002.4500830132.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	order6566546663.exe, 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	order6566546663.exe, 00000001.00000002.4500830132.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F46000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	order6566546663.exe, 00000001.00000002.4500830132.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	order6566546663.exe, 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4500830132.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, order6566546663.exe, 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.48.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
104.21.16.1	unknown	United States	13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592378
Start date and time:	2025-01-16 02:24:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	order6566546663.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 128 Number of non-executed functions: 43
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:24:58	API Interceptor	12740190x Sleep call for process: order6566546663.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	ydJaT4b5N8.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/vq3j/
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.axis138ae.shop/j2vs/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
104.21.16.1	MACHINE SPECIFICATIONS.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	1001-13.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/utww/
	trow.exe	Get hash	malicious	Unknown	Browse	www.wifi4all.nl/
	8L6MBxaJ2m.exe	Get hash	malicious	FormBook	Browse	www.rafconstrutora.online/0xli/
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.kkpmoneysocial.top/86am/
	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
132.226.247.73	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	NEWORDER.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	RENH3RE2025QUOTE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	NEWORDER.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	PO#_1100015533.scr	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	1nl3hc.ps1	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	Contrarre.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
reallyfreegeoip.org	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	NEWORDER.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	PO#_1100015533.scr	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	1nl3hc.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	Contrarre.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	Subscription_Renewal_Invoice_2025_FGHDCS.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://yogalisbon.gitcz.pw/sign-in	Get hash	malicious	Unknown	Browse	104.21.112.1
	http://com-evaluate-fanpage30127.pages.dev/help/contact/671203900952887	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	http://docs-wltconnect.gitbook.io/us-en	Get hash	malicious	HTMLPhisher	Browse	172.64.147.209
	https://inhospitality.shop/	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://shorten.so/fVj82	Get hash	malicious	Porn Scam	Browse	104.21.54.29
	https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://hrpibzdeam.xyz/	Get hash	malicious	Unknown	Browse	172.67.196.118
	http://logincrypto-crypto.gitbook.io/us	Get hash	malicious	HTMLPhisher	Browse	172.64.147.209
CLOUDFLARENETUS	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	Subscription_Renewal_Invoice_2025_FGHDCS.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://yogalisbon.gitcz.pw/sign-in	Get hash	malicious	Unknown	Browse	104.21.112.1
	http://com-evaluate-fanpage30127.pages.dev/help/contact/671203900952887	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	http://docs-wltconnect.gitbook.io/us-en	Get hash	malicious	HTMLPhisher	Browse	172.64.147.209
	https://inhospitality.shop/	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://shorten.so/fVj82	Get hash	malicious	Porn Scam	Browse	104.21.54.29
	https://m3ins.azurewebsites.net/?user-agent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://hrpibzdeam.xyz/	Get hash	malicious	Unknown	Browse	172.67.196.118
	http://logincrypto-crypto.gitbook.io/us	Get hash	malicious	HTMLPhisher	Browse	172.64.147.209
UTMEMUS	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	NEWORDER.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	330tqxXVzm.dll	Get hash	malicious	Wannacry	Browse	132.224.47.164
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Confirm Bank Statement.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	RENH3RE2025QUOTE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	BNXCXCJSD.jse	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	NEWORDER.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	PDF6UU0CVUO2W-YGVUIO.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	1nl3hc.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	Contrarre.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	Company introduction.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	rDEKONT-1_15_2025__75kb__pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	RFQ_AS0101402025.22025_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1

Process:	C:\Users\user\Desktop\order6566546663.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	706
Entropy (8bit):	5.349842958726647
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M9XKbbDLI4MWuPJKAVKhat92n4M6:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84j
MD5:	9BA266AD16952A9A57C3693E0BCFED48
SHA1:	5DB70A3A7F1DB4E3879265AB336B2FA1AFBCECD5
SHA-256:	A6DFD14E82D7D47195A1EC7F31E64C2820AB8721EF4B5825E21E742093B55C0E
SHA-512:	678E1F639379FC24919B7CF562FA19CE53363CBD4B0EAB66486F6F8D5DD5958DE3AAE8D7842EE868EFCC39D907FDC1A3ACF464E29D37B0DAEE9874C39730FE8E
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.202178662583017
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	order6566546663.exe
File size:	591'360 bytes
MD5:	71bd2f038e92ae0e3b95a7567511458e
SHA1:	816293b2472e394288fc9c91bdff206ab8ef52e2
SHA256:	13ba4ee3d7accddd8dbce8e4bc4a623e0b7bf30350fe9d58f1c269cd744bb835
SHA512:	6504c277444190aff4ec14dfc0a9a47c84a61eaaa772088cd003cb93589334e8bd8e79928578b4f5fd61783f97c6317c22d75777db5bba53058c21ab797b40b6
SSDEEP:	12288:ZbRKjP7ne23gAcdtfD1IWPUK/IBW+hb9LiMPXPgm:DKjP7e23gAcvfD1IhW+VR
TLSH:	A9C4BE9C2B9489F5D87A45F29CF2545E7B78A90221F0E46420CB0EDDADDAF43099837F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x491bce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xDA00EF84 [Sun Nov 25 02:40:04 2085 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x91b80	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x92000	0x5a6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x94000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8fbd4	0x8fc00	6d537b26dfad2925f7236c3d04c2812f	False	0.5194667119565217	data	7.212572916537044	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x92000	0x5a6	0x600	c474081526abd64245cfd3ae4521545e	False	0.4173177083333333	data	4.084105898819439	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x94000	0xc	0x200	48598e14c8fb96c5183ccca32e3b49d0	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x920a0	0x31c	data			0.4296482412060301
RT_MANIFEST	0x923bc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-16T02:24:57.246624+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	132.226.247.73	80	TCP
2025-01-16T02:24:58.653281+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	132.226.247.73	80	TCP
2025-01-16T02:24:59.421667+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49706	104.21.48.1	443	TCP
2025-01-16T02:25:00.152941+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49707	132.226.247.73	80	TCP
2025-01-16T02:25:09.309392+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49709	132.226.247.73	80	TCP
2025-01-16T02:25:09.880761+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49710	104.21.48.1	443	TCP
2025-01-16T02:25:23.559296+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49711	132.226.247.73	80	TCP
2025-01-16T02:25:24.186998+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49764	104.21.16.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 02:24:56.252290964 CET	49704	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:24:56.257337093 CET	80	49704	132.226.247.73	192.168.2.5
Jan 16, 2025 02:24:56.257422924 CET	49704	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:24:56.257647038 CET	49704	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:24:56.262491941 CET	80	49704	132.226.247.73	192.168.2.5
Jan 16, 2025 02:24:56.971379995 CET	80	49704	132.226.247.73	192.168.2.5
Jan 16, 2025 02:24:56.986675024 CET	49704	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:24:56.991909981 CET	80	49704	132.226.247.73	192.168.2.5
Jan 16, 2025 02:24:57.198585033 CET	80	49704	132.226.247.73	192.168.2.5
Jan 16, 2025 02:24:57.240565062 CET	49705	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:24:57.240605116 CET	443	49705	104.21.48.1	192.168.2.5
Jan 16, 2025 02:24:57.240708113 CET	49705	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:24:57.246623993 CET	49704	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:24:57.247029066 CET	49705	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:24:57.247047901 CET	443	49705	104.21.48.1	192.168.2.5
Jan 16, 2025 02:24:57.762828112 CET	443	49705	104.21.48.1	192.168.2.5
Jan 16, 2025 02:24:57.762912989 CET	49705	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:24:57.797163010 CET	49705	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:24:57.797182083 CET	443	49705	104.21.48.1	192.168.2.5
Jan 16, 2025 02:24:57.797616005 CET	443	49705	104.21.48.1	192.168.2.5
Jan 16, 2025 02:24:57.843446970 CET	49705	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:24:58.148874998 CET	49705	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:24:58.195333004 CET	443	49705	104.21.48.1	192.168.2.5
Jan 16, 2025 02:24:58.271003008 CET	443	49705	104.21.48.1	192.168.2.5
Jan 16, 2025 02:24:58.271167040 CET	443	49705	104.21.48.1	192.168.2.5
Jan 16, 2025 02:24:58.271224976 CET	49705	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:24:58.287076950 CET	49705	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:24:58.290359020 CET	49704	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:24:58.295397043 CET	80	49704	132.226.247.73	192.168.2.5
Jan 16, 2025 02:24:58.611833096 CET	80	49704	132.226.247.73	192.168.2.5
Jan 16, 2025 02:24:58.613658905 CET	49706	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:24:58.613692999 CET	443	49706	104.21.48.1	192.168.2.5
Jan 16, 2025 02:24:58.613765955 CET	49706	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:24:58.614113092 CET	49706	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:24:58.614123106 CET	443	49706	104.21.48.1	192.168.2.5
Jan 16, 2025 02:24:58.653280973 CET	49704	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:24:59.110253096 CET	443	49706	104.21.48.1	192.168.2.5
Jan 16, 2025 02:24:59.112519979 CET	49706	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:24:59.112559080 CET	443	49706	104.21.48.1	192.168.2.5
Jan 16, 2025 02:24:59.421744108 CET	443	49706	104.21.48.1	192.168.2.5
Jan 16, 2025 02:24:59.421906948 CET	443	49706	104.21.48.1	192.168.2.5
Jan 16, 2025 02:24:59.421967983 CET	49706	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:24:59.422205925 CET	49706	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:24:59.424841881 CET	49704	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:24:59.425643921 CET	49707	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:24:59.429965973 CET	80	49704	132.226.247.73	192.168.2.5
Jan 16, 2025 02:24:59.430046082 CET	49704	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:24:59.430556059 CET	80	49707	132.226.247.73	192.168.2.5
Jan 16, 2025 02:24:59.430654049 CET	49707	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:24:59.430731058 CET	49707	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:24:59.435497999 CET	80	49707	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:00.104075909 CET	80	49707	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:00.105897903 CET	49708	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:25:00.105990887 CET	443	49708	104.21.48.1	192.168.2.5
Jan 16, 2025 02:25:00.106097937 CET	49708	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:25:00.106453896 CET	49708	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:25:00.106492043 CET	443	49708	104.21.48.1	192.168.2.5
Jan 16, 2025 02:25:00.152940989 CET	49707	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:00.578672886 CET	443	49708	104.21.48.1	192.168.2.5
Jan 16, 2025 02:25:00.582032919 CET	49708	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:25:00.582103968 CET	443	49708	104.21.48.1	192.168.2.5
Jan 16, 2025 02:25:00.711308956 CET	443	49708	104.21.48.1	192.168.2.5
Jan 16, 2025 02:25:00.711503029 CET	443	49708	104.21.48.1	192.168.2.5
Jan 16, 2025 02:25:00.711574078 CET	49708	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:25:00.712116003 CET	49708	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:25:00.718039989 CET	49707	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:00.719485998 CET	49709	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:00.723136902 CET	80	49707	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:00.723269939 CET	49707	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:00.724406004 CET	80	49709	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:00.724502087 CET	49709	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:00.724668980 CET	49709	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:00.729445934 CET	80	49709	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:09.260112047 CET	80	49709	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:09.261517048 CET	49710	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:25:09.261562109 CET	443	49710	104.21.48.1	192.168.2.5
Jan 16, 2025 02:25:09.261641026 CET	49710	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:25:09.261883974 CET	49710	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:25:09.261902094 CET	443	49710	104.21.48.1	192.168.2.5
Jan 16, 2025 02:25:09.309391975 CET	49709	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:09.731015921 CET	443	49710	104.21.48.1	192.168.2.5
Jan 16, 2025 02:25:09.732515097 CET	49710	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:25:09.732551098 CET	443	49710	104.21.48.1	192.168.2.5
Jan 16, 2025 02:25:09.880850077 CET	443	49710	104.21.48.1	192.168.2.5
Jan 16, 2025 02:25:09.881000996 CET	443	49710	104.21.48.1	192.168.2.5
Jan 16, 2025 02:25:09.881139994 CET	49710	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:25:09.881463051 CET	49710	443	192.168.2.5	104.21.48.1
Jan 16, 2025 02:25:09.884381056 CET	49709	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:09.885504961 CET	49711	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:09.889393091 CET	80	49709	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:09.889481068 CET	49709	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:09.890333891 CET	80	49711	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:09.890414000 CET	49711	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:09.890480995 CET	49711	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:09.895231962 CET	80	49711	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:23.515515089 CET	80	49711	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:23.524065971 CET	49764	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:23.524115086 CET	443	49764	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:23.524220943 CET	49764	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:23.524504900 CET	49764	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:23.524533987 CET	443	49764	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:23.559295893 CET	49711	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:23.995119095 CET	443	49764	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:24.008605003 CET	49764	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:24.008658886 CET	443	49764	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:24.187093019 CET	443	49764	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:24.187251091 CET	443	49764	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:24.187355042 CET	49764	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:24.187544107 CET	49764	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:24.191694975 CET	49770	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:24.196758032 CET	80	49770	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:24.196852922 CET	49770	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:24.196924925 CET	49770	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:24.201715946 CET	80	49770	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:25.774389029 CET	80	49770	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:25.775748014 CET	49780	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:25.775778055 CET	443	49780	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:25.775882959 CET	49780	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:25.776150942 CET	49780	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:25.776160955 CET	443	49780	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:25.825016022 CET	49770	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:26.235248089 CET	443	49780	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:26.236892939 CET	49780	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:26.236922979 CET	443	49780	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:26.382638931 CET	443	49780	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:26.382783890 CET	443	49780	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:26.382865906 CET	49780	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:26.383301020 CET	49780	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:26.386306047 CET	49770	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:26.387229919 CET	49786	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:26.391433001 CET	80	49770	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:26.391506910 CET	49770	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:26.392052889 CET	80	49786	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:26.392189980 CET	49786	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:26.392298937 CET	49786	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:26.397113085 CET	80	49786	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:27.164477110 CET	80	49786	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:27.166393042 CET	49792	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:27.166449070 CET	443	49792	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:27.166555882 CET	49792	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:27.166841030 CET	49792	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:27.166872978 CET	443	49792	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:27.215534925 CET	49786	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:27.640358925 CET	443	49792	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:27.642497063 CET	49792	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:27.642544031 CET	443	49792	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:27.769555092 CET	443	49792	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:27.769629955 CET	443	49792	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:27.769835949 CET	49792	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:27.770329952 CET	49792	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:27.774684906 CET	49786	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:27.776216030 CET	49798	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:27.780000925 CET	80	49786	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:27.780075073 CET	49786	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:27.781361103 CET	80	49798	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:27.781630993 CET	49798	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:27.781753063 CET	49798	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:27.786694050 CET	80	49798	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:28.575320005 CET	80	49798	132.226.247.73	192.168.2.5
Jan 16, 2025 02:25:28.578675985 CET	49804	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:28.578708887 CET	443	49804	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:28.578795910 CET	49804	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:28.579085112 CET	49804	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:28.579097033 CET	443	49804	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:28.621865988 CET	49798	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:25:29.065023899 CET	443	49804	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:29.074122906 CET	49804	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:29.074162006 CET	443	49804	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:29.220793962 CET	443	49804	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:29.220943928 CET	443	49804	104.21.16.1	192.168.2.5
Jan 16, 2025 02:25:29.221033096 CET	49804	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:25:29.221489906 CET	49804	443	192.168.2.5	104.21.16.1
Jan 16, 2025 02:26:28.515470028 CET	80	49711	132.226.247.73	192.168.2.5
Jan 16, 2025 02:26:28.515674114 CET	49711	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:26:33.574318886 CET	80	49798	132.226.247.73	192.168.2.5
Jan 16, 2025 02:26:33.574398041 CET	49798	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:27:08.591672897 CET	49798	80	192.168.2.5	132.226.247.73
Jan 16, 2025 02:27:08.596610069 CET	80	49798	132.226.247.73	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 02:24:56.238338947 CET	56264	53	192.168.2.5	1.1.1.1
Jan 16, 2025 02:24:56.245770931 CET	53	56264	1.1.1.1	192.168.2.5
Jan 16, 2025 02:24:57.233042002 CET	56017	53	192.168.2.5	1.1.1.1
Jan 16, 2025 02:24:57.240053892 CET	53	56017	1.1.1.1	192.168.2.5
Jan 16, 2025 02:25:23.516813993 CET	49714	53	192.168.2.5	1.1.1.1
Jan 16, 2025 02:25:23.523329020 CET	53	49714	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 16, 2025 02:24:56.238338947 CET	192.168.2.5	1.1.1.1	0x704	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:24:57.233042002 CET	192.168.2.5	1.1.1.1	0xf535	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:25:23.516813993 CET	192.168.2.5	1.1.1.1	0xdb56	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 16, 2025 02:24:56.245770931 CET	1.1.1.1	192.168.2.5	0x704	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 02:24:56.245770931 CET	1.1.1.1	192.168.2.5	0x704	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:24:56.245770931 CET	1.1.1.1	192.168.2.5	0x704	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:24:56.245770931 CET	1.1.1.1	192.168.2.5	0x704	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:24:56.245770931 CET	1.1.1.1	192.168.2.5	0x704	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:24:56.245770931 CET	1.1.1.1	192.168.2.5	0x704	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:24:57.240053892 CET	1.1.1.1	192.168.2.5	0xf535	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:24:57.240053892 CET	1.1.1.1	192.168.2.5	0xf535	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:24:57.240053892 CET	1.1.1.1	192.168.2.5	0xf535	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:24:57.240053892 CET	1.1.1.1	192.168.2.5	0xf535	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:24:57.240053892 CET	1.1.1.1	192.168.2.5	0xf535	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:24:57.240053892 CET	1.1.1.1	192.168.2.5	0xf535	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:24:57.240053892 CET	1.1.1.1	192.168.2.5	0xf535	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:25:23.523329020 CET	1.1.1.1	192.168.2.5	0xdb56	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:25:23.523329020 CET	1.1.1.1	192.168.2.5	0xdb56	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:25:23.523329020 CET	1.1.1.1	192.168.2.5	0xdb56	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:25:23.523329020 CET	1.1.1.1	192.168.2.5	0xdb56	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:25:23.523329020 CET	1.1.1.1	192.168.2.5	0xdb56	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:25:23.523329020 CET	1.1.1.1	192.168.2.5	0xdb56	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 02:25:23.523329020 CET	1.1.1.1	192.168.2.5	0xdb56	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	132.226.247.73	80	6976	C:\Users\user\Desktop\order6566546663.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 02:24:56.257647038 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 02:24:56.971379995 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:56 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 16, 2025 02:24:56.986675024 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 02:24:57.198585033 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:57 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 16, 2025 02:24:58.290359020 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 02:24:58.611833096 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49707	132.226.247.73	80	6976	C:\Users\user\Desktop\order6566546663.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 02:24:59.430731058 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 02:25:00.104075909 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:25:00 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49709	132.226.247.73	80	6976	C:\Users\user\Desktop\order6566546663.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 02:25:00.724668980 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 02:25:09.260112047 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:25:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49711	132.226.247.73	80	6976	C:\Users\user\Desktop\order6566546663.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 02:25:09.890480995 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 16, 2025 02:25:23.515515089 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:25:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49770	132.226.247.73	80	6976	C:\Users\user\Desktop\order6566546663.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 02:25:24.196924925 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 02:25:25.774389029 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:25:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49786	132.226.247.73	80	6976	C:\Users\user\Desktop\order6566546663.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 02:25:26.392298937 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 02:25:27.164477110 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:25:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49798	132.226.247.73	80	6976	C:\Users\user\Desktop\order6566546663.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 02:25:27.781753063 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 16, 2025 02:25:28.575320005 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:25:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	104.21.48.1	443	6976	C:\Users\user\Desktop\order6566546663.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 01:24:58 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 01:24:58 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:58 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2305487 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=18Xwuilo7Xz%2BrYj1t4tqGnm1SOFHgwwUtYmG6y7%2FOoQFjJyKeY2l6YH8HNKk7R40YzcWq7Nc%2F3jbLxjCp6UnAZ4un7M7Iw4YiZskNNQceEEe1%2FEY3xpKisgSJuVZdw8dNqs9QNEc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902a4f17ceaf8cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1938&min_rtt=1936&rtt_var=730&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1495901&cwnd=244&unsent_bytes=0&cid=a590337336c3c2c4&ts=528&x=0"
2025-01-16 01:24:58 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	104.21.48.1	443	6976	C:\Users\user\Desktop\order6566546663.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 01:24:59 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-16 01:24:59 UTC	858	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:24:59 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2305488 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2NpcwcJis41%2F3B0YdYSmrNvQZIPWA1r7CiLwW92mbzvnPAa1W%2BRSKFwQSZ%2BOz6AxyHGOi1rd1b6jW8pui0eimvhRYwvzBppOHQQcfSoByPVBVAxNc0SQ4HopGpm0Vy%2BhMus%2FzRTO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902a4f1dfbef8c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1845&min_rtt=1845&rtt_var=922&sent=5&recv=7&lost=0&retrans=1&sent_bytes=4238&recv_bytes=699&delivery_rate=224235&cwnd=238&unsent_bytes=0&cid=8581e4475b0cd1bb&ts=166&x=0"
2025-01-16 01:24:59 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49708	104.21.48.1	443	6976	C:\Users\user\Desktop\order6566546663.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 01:25:00 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 01:25:00 UTC	861	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:25:00 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2305489 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7FFDJaLtlhRrOzRvat4%2Fl%2Fcg21Ab2ZGPsmS1m6nfVYv2V8mjdSQfXGFrkW0M%2F0lekzQt6CVeoXIx0%2FrdNhRulTHiCFTnVy69z0EiUy6AXA4%2FLkRul4LLgWVhgXjKeoq2hY%2BmRYal"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902a4f26fb37c323-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1474&min_rtt=1463&rtt_var=571&sent=3&recv=5&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1879021&cwnd=214&unsent_bytes=0&cid=8410f429953068ba&ts=142&x=0"
2025-01-16 01:25:00 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49710	104.21.48.1	443	6976	C:\Users\user\Desktop\order6566546663.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 01:25:09 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-16 01:25:09 UTC	851	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:25:09 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2305498 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=65hAl7NZk5FYCWvABsXuf4E9QdLTuzB5qT69iMM1RyhPzKAORaXdNJJfF5iqg5ai7V5CiugasmBeYCgPiXpvh08g7BQy9ReEgxRABJAo9baz2M2PkY%2FPJSf9KrTiE1ocv2lHGtto"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902a4f6049c443be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1594&rtt_var=610&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1776155&cwnd=229&unsent_bytes=0&cid=bd2c1cb288e3d1fb&ts=142&x=0"
2025-01-16 01:25:09 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49764	104.21.16.1	443	6976	C:\Users\user\Desktop\order6566546663.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 01:25:24 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-16 01:25:24 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:25:24 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2305513 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FQ9LH%2BHZsYcyysba4n%2FyEXkMiAr6rPDFZBrGTfyFKZri94g75i1TNXfPwg2YXz%2FDGXAZ2h8OGRDzVuyWVsKroydDr0dAHz32MNkCr6rPS5R0Cs96LKAJ5qQ3aBBkzzf6W0d3MoS3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902a4fb98d5c7293-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1882&min_rtt=1874&rtt_var=718&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1506707&cwnd=158&unsent_bytes=0&cid=a13d433b803be8f9&ts=164&x=0"
2025-01-16 01:25:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49780	104.21.16.1	443	6976	C:\Users\user\Desktop\order6566546663.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 01:25:26 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 01:25:26 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:25:26 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2305515 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SUNDZdx4zCQ4A2ZOH7atxb%2FHcc8v8HtUnZqj3vJcXPSczvlGtjGe4RsE%2FbGHRGb6ZCDTAQ9Ldd5TJ6mtYSakgtscLGQceKF6Itpu14qwn8muTa3Eu31YG%2BEEluKZfqU4SD8fdtBp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902a4fc78f990fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1910&min_rtt=1521&rtt_var=848&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1919789&cwnd=252&unsent_bytes=0&cid=a95f0a2cf5d81654&ts=156&x=0"
2025-01-16 01:25:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49792	104.21.16.1	443	6976	C:\Users\user\Desktop\order6566546663.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 01:25:27 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 01:25:27 UTC	861	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:25:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2305516 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N3iXFvTuqPeJAwIvxuk9ij%2BCj%2BbFEbTBBy14AJUIO1zs25AGnCusOYloEXtl%2FXzq9RMkLRpalaU%2FNJS%2BwocmjBk%2BT81IoLfCUj3s3xW99hZPGmjuUHjGqkQSWv6XVE5EEjiUIGZC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902a4fd0396f0fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1450&min_rtt=1446&rtt_var=551&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1970310&cwnd=252&unsent_bytes=0&cid=2da5218872416a1c&ts=142&x=0"
2025-01-16 01:25:27 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49804	104.21.16.1	443	6976	C:\Users\user\Desktop\order6566546663.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 01:25:29 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-16 01:25:29 UTC	861	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 01:25:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2305518 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xRda%2Fu7YD3K4K%2Bn1v1li993%2FXn9ZWPlf0L3SQIapc%2FTcRWJ1tcPtmjTNwqPtK56ls%2Fr2Ndh0990mYmhDpK0DjAWAnTzz%2FdB6XFJckHy1a7Eqty9INKHsPAD3pIV2rQDgaqbMV6T6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902a4fd93c7d41ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1650&min_rtt=1641&rtt_var=633&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1704611&cwnd=192&unsent_bytes=0&cid=03d4839e9d907c82&ts=166&x=0"
2025-01-16 01:25:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	20:24:55
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\order6566546663.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\order6566546663.exe"
Imagebase:	0x420000
File size:	591'360 bytes
MD5 hash:	71BD2F038E92AE0E3B95A7567511458E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.2027290884.0000000004E50000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2027017019.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:24:55
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\order6566546663.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\order6566546663.exe"
Imagebase:	0xab0000
File size:	591'360 bytes
MD5 hash:	71BD2F038E92AE0E3B95A7567511458E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000002.4499847715.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4500830132.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4500830132.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	76%
Total number of Nodes:	25
Total number of Limit Nodes:	1

Executed Functions

Function 00E0AE48 Relevance: 1.9, Strings: 1, Instructions: 615
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 00E0B5F8

Memory Dump Source

Source File: 00000000.00000002.2026629867.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_order6566546663.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 3f9f2743f526ec2f4af24ed8c532df2403802b6fbf080c42b6198263ca19d7e0
Instruction ID: cc5df36572621c5b76de1ad873f0a4eb52fbaee03b4727c2b518da13545992b6
Opcode Fuzzy Hash: 3f9f2743f526ec2f4af24ed8c532df2403802b6fbf080c42b6198263ca19d7e0
Instruction Fuzzy Hash: DB52BE70E012288FDB68DF65C994BDDBBF2BB89304F1495EA9409AB291DB345EC5CF40

Function 00E09F3C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00E0BB49

Memory Dump Source

Source File: 00000000.00000002.2026629867.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_order6566546663.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b784395b67c61cf404094743073931a64f9c3bfa12faecfb77eb26dc32255aa0
Instruction ID: 2799c39acf3fa88ccded37ac8e9510806c3a6c3a0a234b21cda7e02b97b73b76
Opcode Fuzzy Hash: b784395b67c61cf404094743073931a64f9c3bfa12faecfb77eb26dc32255aa0
Instruction Fuzzy Hash: 4381CF74D40269CFDB21CFA9C980BEDBBF5BB49304F1091AAE508B7260DB749A85CF54

Function 00E0AA20 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00E0AAF3

Memory Dump Source

Source File: 00000000.00000002.2026629867.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_order6566546663.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d361dd5ad00cd429d57b47846ddf31be1f661097ffada793b442ab29992ba340
Instruction ID: a65db5ce386ef6c401af36035345cb35bc031051819fe14085b35de6e806c254
Opcode Fuzzy Hash: d361dd5ad00cd429d57b47846ddf31be1f661097ffada793b442ab29992ba340
Instruction Fuzzy Hash: 47419BB4D012589FCF00CFA9D984ADEFBF1BB49310F14902AE419B7250D774AA45CF64

Function 00E09F60 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00E0BE55

Memory Dump Source

Source File: 00000000.00000002.2026629867.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_order6566546663.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 248a0e0cc47cdefffa19124a7c81ebfcc049c42fdb5d93154ac763d7f2c98ebd
Instruction ID: d238a78f84d739c6aed0c3cd6325726a7baf7ad63ea1d0b84be2c17b7207c844
Opcode Fuzzy Hash: 248a0e0cc47cdefffa19124a7c81ebfcc049c42fdb5d93154ac763d7f2c98ebd
Instruction Fuzzy Hash: 4F4196B9D04258DFCF10CFAAD984ADEFBB5BB09310F10A02AE918B7250D375A945CF64

Function 00E0AB78 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00E0AC22

Memory Dump Source

Source File: 00000000.00000002.2026629867.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_order6566546663.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 83c49a24c466965d2e8b6a94110be85e5f1c93303904533263b379efa7a23d48
Instruction ID: c3e3a3b9554effa6692d8f2080b2303a848c57e00e23af6b42ea0ff9fc9000a1
Opcode Fuzzy Hash: 83c49a24c466965d2e8b6a94110be85e5f1c93303904533263b379efa7a23d48
Instruction Fuzzy Hash: F531A9B8D002589FCF10CFA9D980ADEFBB5FB49310F10A42AE815B7250D735A941CF65

Function 00E0A8F8 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00E0A9A7

Memory Dump Source

Source File: 00000000.00000002.2026629867.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_order6566546663.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 00d1093249f92a50dfbde3ae34933548840f3407bd7c3122181a1931ef442500
Instruction ID: 610c994e83b33b1a97c2c0ae15a490ddde0986d6d2b24e62ad05776d15a5d897
Opcode Fuzzy Hash: 00d1093249f92a50dfbde3ae34933548840f3407bd7c3122181a1931ef442500
Instruction Fuzzy Hash: 9631BEB4D002589FCB10DFA9D485AEEFBF1BF49310F14902AE419B7240D778A985CF94

Function 00E09F48 Relevance: 1.6, APIs: 1, Instructions: 91
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64GetThreadContext.KERNEL32(?,?), ref: 00E0BD42

Memory Dump Source

Source File: 00000000.00000002.2026629867.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_order6566546663.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a846091d4708092bfe2c300eac000eaa71d55d11af5e6b3dc8f62b94f9a75be3
Instruction ID: 1257a954f5a786bfe9a793a21528654a21be6840442e136f3cecd61fc57d870e
Opcode Fuzzy Hash: a846091d4708092bfe2c300eac000eaa71d55d11af5e6b3dc8f62b94f9a75be3
Instruction Fuzzy Hash: B5319AB4D012589FDB10CFA9D584ADEFBF1BB49314F24902AE418B7250D378A985CFA4

Function 00E0AC98 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 00E0AD16

Memory Dump Source

Source File: 00000000.00000002.2026629867.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_order6566546663.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 568cb535b16fa570ed701c0c4d3c25a7a47bc0e8a67042a008ac4d65c972b3a6
Instruction ID: e1fad5de9cba7ce014b5398a7c5293b4bf67aafc9bbe40800e322389ed392649
Opcode Fuzzy Hash: 568cb535b16fa570ed701c0c4d3c25a7a47bc0e8a67042a008ac4d65c972b3a6
Instruction Fuzzy Hash: 9D31CBB4D002189FCB14DFA9D481A9EFBB5FF49314F14942AE819B7240C735A941CFA4

Function 00B9D4FC Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2025662060.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910010bfdc84e03dde6673379d0183dbb11622d616efca31573dbe234d6eac90
Instruction ID: 97044891534692ead1b3bd42b93be16800817ed28655071353d2af031feb28a3
Opcode Fuzzy Hash: 910010bfdc84e03dde6673379d0183dbb11622d616efca31573dbe234d6eac90
Instruction Fuzzy Hash: 0B210371600204DFCF05DF14D9C0B26BFA5FBA8318F21C5B9E9090B256C33AD816DBA2

Function 00B9D5E8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025662060.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb840833f3fe8e273b4045fc37d93c4e9a68501b81546d7ba06367d3e32fcb08
Instruction ID: 1bafce9c96f61ed973a1d2353142bd7aadab4afd633a19568695e9f819ece5b3
Opcode Fuzzy Hash: bb840833f3fe8e273b4045fc37d93c4e9a68501b81546d7ba06367d3e32fcb08
Instruction Fuzzy Hash: A321D372504204DFDF05DF15D9C0B26BFA5FBA8314F2485B9E90D0B26AC33AD856DAA1

Function 00B9D4F7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025662060.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 47e1dc025ef0bde45afcf4c5f77fd2af652cd44fd5cf5535cc02fc162278a8f8
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 3611D376504244CFCF06DF10D5C4B16BFB2FBA4314F25C6A9D9490B256C33AD85ACBA2

Function 00B9D5E3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025662060.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 33b3818d8a4365df1fb81fb790674acca0d3b778e5cc485062dc002142fce03e
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 2D11D376504240CFCF16CF14D9C4B16BFB1FB94314F24C6A9D9490B256C33AD85ACBA2

Analysis Process: order6566546663.exePID: 6976, Parent PID: 4512COMMON

Execution Graph

Execution Coverage:	16.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	46.2%
Total number of Nodes:	39
Total number of Limit Nodes:	2

Executed Functions

Function 02C8B328 Relevance: 6.6, Strings: 5, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0o@p, xrefs: 02C8B562
Lj@p, xrefs: 02C8B6E5
PH]q, xrefs: 02C8B747
Lj@p, xrefs: 02C8B6CF
PH]q, xrefs: 02C8B758

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 680d54bb433776af9ff64869c1c4705b0f90dcb9898dce47390132ba6bad0293
Instruction ID: e35564abe363a5834480aea5d06cf1e5d6fdc1c87645b271bdce134b6ac3b20e
Opcode Fuzzy Hash: 680d54bb433776af9ff64869c1c4705b0f90dcb9898dce47390132ba6bad0293
Instruction Fuzzy Hash: 6EE10A74A00659CFDB14DFA9C984A9DBBB1BF89318F15C0A9E819EB361DB30AD41CF50

Function 02C8C470 Relevance: 6.4, Strings: 5, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 02C8C6D8
0o@p, xrefs: 02C8C4E2
PH]q, xrefs: 02C8C6C7
Lj@p, xrefs: 02C8C665
Lj@p, xrefs: 02C8C64F

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: e279ff82a995f64ffa787c6358e0ac902008283f5797bb066a41386ce01d07a7
Instruction ID: 1a5c9af617976f155a735dab1035f962a09907bfc0d9b1ce9ae9f6e2df3dcb38
Opcode Fuzzy Hash: e279ff82a995f64ffa787c6358e0ac902008283f5797bb066a41386ce01d07a7
Instruction Fuzzy Hash: 0A91EA74E00218CFDB18DFAAD884A9DBBF2BF89314F14C56AE419AB365DB349941CF10

Function 02C8BBD3 Relevance: 6.4, Strings: 5, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj@p, xrefs: 02C8BDC5
PH]q, xrefs: 02C8BE38
0o@p, xrefs: 02C8BC42
PH]q, xrefs: 02C8BE27
Lj@p, xrefs: 02C8BDAF

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: d62c91ef398d41c95004fe0641d392c0dfee6ac66ccf0c806fd2be2252e0b360
Instruction ID: 09defbf0ca7c3be07cb9dac0c554ec759d9913b9ac7385705479cdf83240042a
Opcode Fuzzy Hash: d62c91ef398d41c95004fe0641d392c0dfee6ac66ccf0c806fd2be2252e0b360
Instruction Fuzzy Hash: 7F91B474E002589FDB14DFAAD894A9DBBF2BF89318F14C069E419AB365EB349941CF10

Function 02C8C751 Relevance: 6.4, Strings: 5, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0o@p, xrefs: 02C8C7C2
PH]q, xrefs: 02C8C9A7
PH]q, xrefs: 02C8C9B8
Lj@p, xrefs: 02C8C945
Lj@p, xrefs: 02C8C92F

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 5239fd31c95962733f9ecf20c7a38fe96b222576856b0dd3f25011f351fe0dac
Instruction ID: f5dfb15ac746c25b0b22119c07bf50794a3bb97420f0888b89e5f02bd4570333
Opcode Fuzzy Hash: 5239fd31c95962733f9ecf20c7a38fe96b222576856b0dd3f25011f351fe0dac
Instruction Fuzzy Hash: DE81D874E00219DFDB18DFAAD884A9DBBF2BF89304F14C46AE419AB365DB349945CF10

Function 02C84AD9 Relevance: 6.4, Strings: 5, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0o@p, xrefs: 02C84B4A
Lj@p, xrefs: 02C84CB8
PH]q, xrefs: 02C84D30
Lj@p, xrefs: 02C84CCE
PH]q, xrefs: 02C84D41

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: c3ddddca71197655f6535818aab218fe6e8c15892b193964faf51371a6368f44
Instruction ID: 230b330faf15089d5ddfc4d0b80de73ad7797a8a8b2081451f0397867b5647f3
Opcode Fuzzy Hash: c3ddddca71197655f6535818aab218fe6e8c15892b193964faf51371a6368f44
Instruction Fuzzy Hash: 4D81D574E00619DFDB18DFAAD984A9DBBF2BF89304F14C069E819AB365DB349941CF10

Function 02C8C193 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 02C8C3E7
PH]q, xrefs: 02C8C3F8
Lj@p, xrefs: 02C8C36F
Lj@p, xrefs: 02C8C385
0o@p, xrefs: 02C8C202

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: d32fe276ff105cb785d1ad2f519385badfa002a8cdb0c249b650e3cc800249ba
Instruction ID: 2b2c6e1cb5aa34f78e784da86742b48363aa6872a6defc46a2a6f51b2c8ffae3
Opcode Fuzzy Hash: d32fe276ff105cb785d1ad2f519385badfa002a8cdb0c249b650e3cc800249ba
Instruction Fuzzy Hash: DE81C774E00218DFDB18DFAAD884A9DBBF2BF89304F14C06AE419AB365DB349945CF54

Function 02C8CA31 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj@p, xrefs: 02C8CC0F
PH]q, xrefs: 02C8CC98
0o@p, xrefs: 02C8CAA2
Lj@p, xrefs: 02C8CC25
PH]q, xrefs: 02C8CC87

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: 3717bf3ffc674e1a940f77e1e4eea49c8f269990a7208787e9189f4efd814b01
Instruction ID: 670e28a319e4e53d4378e34b7698985512a4550952c792175b55e39e21c7cc9e
Opcode Fuzzy Hash: 3717bf3ffc674e1a940f77e1e4eea49c8f269990a7208787e9189f4efd814b01
Instruction Fuzzy Hash: 0281B874E00618DFDB18DFAAD994A9DBBF2BF88304F14C06AE419AB365DB349941CF50

Function 02C8BEB7 Relevance: 6.4, Strings: 5, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 02C8C107
0o@p, xrefs: 02C8BF22
Lj@p, xrefs: 02C8C08F
PH]q, xrefs: 02C8C118
Lj@p, xrefs: 02C8C0A5

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
API String ID: 0-1229222154
Opcode ID: f09dbcf6d31b153a430c4e4234532cbfeca7cecf5ab45dbef69db59b16d9b1d1
Instruction ID: a53024fd1187e2fb5048273ea7c0ac09d2e7e0b7cc56a54dc6b64bff9c75f888
Opcode Fuzzy Hash: f09dbcf6d31b153a430c4e4234532cbfeca7cecf5ab45dbef69db59b16d9b1d1
Instruction Fuzzy Hash: DB81B674E00218DFDB18DFAAD994A9DBBF2BF89304F14C06AE419AB365DB349941CF50

Function 02C86730 Relevance: 5.5, Strings: 4, Instructions: 452
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,aq, xrefs: 02C86A00
,aq, xrefs: 02C869F2
(o]q, xrefs: 02C86988
(o]q, xrefs: 02C8697A

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$,aq$,aq
API String ID: 0-1947289240
Opcode ID: 4aebaec9ad370b2712c8fb052ff60ef4c6ffdfb8a8f85664cb67488303166376
Instruction ID: 28627e1289b6310285edc6cfaf7807aaf805cf6c147cc3146491937d976d8607
Opcode Fuzzy Hash: 4aebaec9ad370b2712c8fb052ff60ef4c6ffdfb8a8f85664cb67488303166376
Instruction Fuzzy Hash: C2026E70A00219DFCB15EF69C984AAEBBFAFF89308F25C469E515AB261D730DD41CB50

Function 02C8B4F3 Relevance: 3.9, Strings: 3, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0o@p, xrefs: 02C8B562
PH]q, xrefs: 02C8B747
PH]q, xrefs: 02C8B758

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: 0o@p$PH]q$PH]q
API String ID: 0-2023588385
Opcode ID: 30b3e3e942bc1a1246a0395bcc45db5df98ed68bf7de757000e3e04d4424fbc3
Instruction ID: 634ed4e9d806aa1818540d9c3d0a11ffcfcbe8207f1bf904748f3b96913c8b93
Opcode Fuzzy Hash: 30b3e3e942bc1a1246a0395bcc45db5df98ed68bf7de757000e3e04d4424fbc3
Instruction Fuzzy Hash: 9F61C474E006599FDB18EFAAD984A9DFBF2BF89304F14C069E418AB365DB349941CF10

Function 02C86148 Relevance: 2.9, Strings: 2, Instructions: 431COMMON

Download Yara Rule

Strings

Haq, xrefs: 02C8650E
(o]q, xrefs: 02C86642

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: (o]q$Haq
API String ID: 0-903699183
Opcode ID: 5d6340f960e1cfd70d846521b946f6654cdc5f2ff2b82e23542accee9941cf71
Instruction ID: 4f763e8be465fe8ef0b96b4ed0b1620a06816472bb90b284111b1b22ec791094
Opcode Fuzzy Hash: 5d6340f960e1cfd70d846521b946f6654cdc5f2ff2b82e23542accee9941cf71
Instruction Fuzzy Hash: 34F17E71A002198FDB14EF69C8547AEBBBABFC8308F24C559E446DB395DF349942CB90

Function 02C83570 Relevance: 2.9, Strings: 2, Instructions: 426COMMON

Download Yara Rule

Strings

$]q, xrefs: 02C83596
Xaq, xrefs: 02C835AF

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: d36b98c294573a322acf23862778aadbcf27f0875861e1964cc5d9bfce806604
Instruction ID: e146f5cefc537085a90f4f6a02306b7586833d15af1c8eb012abfaa2062048a9
Opcode Fuzzy Hash: d36b98c294573a322acf23862778aadbcf27f0875861e1964cc5d9bfce806604
Instruction Fuzzy Hash: A8F15D74F002589FDB18EFB9D8545AEBBB2BF88714B14856AE406EB358DF359C02CB41

Function 06B18BF2 Relevance: 2.7, Strings: 2, Instructions: 217COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06B18E9A
PH]q, xrefs: 06B18EAB

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: b0c56aa5e11593ce194f6c2a45ef3ee0e380930c47b4aab71a65dba69a7f2ab8
Instruction ID: af7611f627f8090dd0e09d764fe4317ed78848c60263d1fb0a661b9f614f2f36
Opcode Fuzzy Hash: b0c56aa5e11593ce194f6c2a45ef3ee0e380930c47b4aab71a65dba69a7f2ab8
Instruction Fuzzy Hash: 989137B4E00268DFDB58DFA9D854ADDBBF2BF89304F2081AAD419AB354DB345941CF90

Function 06AE7D90 Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5beeae83a3441e14ed8e47f928ba492895810e2f01aec93e6320d8db9f36faa
Instruction ID: 13a61be8e4b7be6f3766dfbc7a6bcb0173fa188f9ce18bea4f9654d605d09588
Opcode Fuzzy Hash: c5beeae83a3441e14ed8e47f928ba492895810e2f01aec93e6320d8db9f36faa
Instruction Fuzzy Hash: CEF1D174E01218CFDB54DFA9D884B9DBBB2BF88304F5481A9E818AB355DB34A985CF50

Function 06B111A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b48e67ed522cf10be826b2fca6fd8eb4bda06f5493becabceab05543d9c67872
Instruction ID: 673f9b3c272049d7ea0b86c57b9290f2c83c89754eb93d2169df96b938136deb
Opcode Fuzzy Hash: b48e67ed522cf10be826b2fca6fd8eb4bda06f5493becabceab05543d9c67872
Instruction Fuzzy Hash: 93827B74E012299FDB64DF69DD84B9DBBB2BB89300F1481EA980DA7264DB345E81CF40

Function 02C8F007 Relevance: .7, Instructions: 716COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 018ae9ae21206c1b22dded91200b915106a687684f7c70b7b5d125aa3f6a028d
Instruction ID: fda272a03dd7edb40b34e225759718b91f0a3e1ecd3fbfe4b45bec28ec06390c
Opcode Fuzzy Hash: 018ae9ae21206c1b22dded91200b915106a687684f7c70b7b5d125aa3f6a028d
Instruction Fuzzy Hash: D672C074E012298FDB65EF69C884BEDBBB2BF49304F5481E9D409A7255DB34AE81CF40

Function 06B18608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157bd26c1e8c8b34c9acf361122d9627d40499a9dd80955eaed843dae071fdb5
Instruction ID: 327bff5ad45618f9a1c9d2aa016d32c1a1166d90d44f54bda9dc6a9fedb6617f
Opcode Fuzzy Hash: 157bd26c1e8c8b34c9acf361122d9627d40499a9dd80955eaed843dae071fdb5
Instruction Fuzzy Hash: E4E1F3B4E01218CFEB54DFA5C944B9DBBB2BF89304F2081A9D409AB395DB355E85CF50

Function 06AE0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 951aca8f786143aa2b609a6578cece72ea977147013de205ccae04e260b36351
Instruction ID: fd3a1a95131bfdf122af0c975ab3000ed5267f156bbe4ec947c194a4ff8b7027
Opcode Fuzzy Hash: 951aca8f786143aa2b609a6578cece72ea977147013de205ccae04e260b36351
Instruction Fuzzy Hash: AFC1D074E00218CFDB54DFA5D984B9DBBB2BF89304F2081A9D809AB365DB349E85CF50

Function 06AEE058 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163692bb5dd87efdf69f219ce4805cdefbd0ee24e9970902dd9a63862fdb12ee
Instruction ID: 918675a90e454bfb594ce68966eb88fd6b16024b9ffc0b37e4552b352e4e20c7
Opcode Fuzzy Hash: 163692bb5dd87efdf69f219ce4805cdefbd0ee24e9970902dd9a63862fdb12ee
Instruction Fuzzy Hash: A9C1D374E00218CFDB54EFA5D944B9DBBB2BF89304F2081A9D409AB365DB359E85CF50

Function 06AE11C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae1a0a5e8191c517e74aef55e5efe850fc3a4e3f29d4ced5cc9ddae93bbf9e9
Instruction ID: 962a307f410bae1241d24b83cfe4154a0ba51ce1beacb73826a53de14121bbe5
Opcode Fuzzy Hash: 1ae1a0a5e8191c517e74aef55e5efe850fc3a4e3f29d4ced5cc9ddae93bbf9e9
Instruction Fuzzy Hash: D6C1D274E00228CFDB54DFA5D994B9DBBB2BF89304F2081A9D809AB355DB349E85CF50

Function 06AE1620 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d25d5d07a6095c5017eaec4253680050c59b1d5135083d8e41b34c4c465370
Instruction ID: 8e6be2a852477c4dc35e2f071ac61cb13e268929deefe91293223cad975388a6
Opcode Fuzzy Hash: 28d25d5d07a6095c5017eaec4253680050c59b1d5135083d8e41b34c4c465370
Instruction Fuzzy Hash: F3A1F470D00218CFDB14EFA9C954BDDBBB1FF89314F208269E409AB291DB749985CF55

Function 06AE1617 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7260c698e40f8eab9b52e238ff4b2a9027a1a55f8833d9123800452f6860fe36
Instruction ID: c8003e48213d308ec5d53c6f5e4f772c38fe5191aaf38395500584c8b9cd53ad
Opcode Fuzzy Hash: 7260c698e40f8eab9b52e238ff4b2a9027a1a55f8833d9123800452f6860fe36
Instruction Fuzzy Hash: C5A10570D00218CFDB14DFA8C594BDDBBB1FF89304F208269E409AB291DB759985CF54

Function 06B1B6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b52df0b1c7ea271e2c4290d42e1f38c500b32b3a86a1d2469e62112c60ce173
Instruction ID: c7c0ee04757c48f25edad9fcd9b0761209b5aee15a28f53e968b3acd73201262
Opcode Fuzzy Hash: 8b52df0b1c7ea271e2c4290d42e1f38c500b32b3a86a1d2469e62112c60ce173
Instruction Fuzzy Hash: F8A1B3B0E01218DFEB68DF6AC944B9DBAF2BF89300F54C1AAD40DA7255DB305A85CF51

Function 06B1D670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e467fe56698e162115aa08175c0d6c92341be60cf547ff1e1ff975ab00e09945
Instruction ID: e362f8b9e994f87d071b722406fdd3ed4ea83378ac08d869c55214f3d98f7419
Opcode Fuzzy Hash: e467fe56698e162115aa08175c0d6c92341be60cf547ff1e1ff975ab00e09945
Instruction Fuzzy Hash: EDA1C3B0E012289FEB68DF6AC944B9DBBF2BF89300F14D1AAD40DA7255D7305A85CF50

Function 06B1C388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f28c40e87c6a080cd042fe280a92e7b3b411fb7680c858d1edb4e589a84e6d
Instruction ID: 3e584e5d83bb85bde81f26e8a94a7efa3c69d34717300e278f723d8ea0c42966
Opcode Fuzzy Hash: 27f28c40e87c6a080cd042fe280a92e7b3b411fb7680c858d1edb4e589a84e6d
Instruction Fuzzy Hash: 2EA1B2B0E012289FEB64CF6AC944B9DFBF2BF89300F54D0AAD409A7255DB345A85CF50

Function 06B1A408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 431b178574f512affdd37aef6dbd1c9444ba02a7feb24240384c735a094be0ec
Instruction ID: e0e87c9a3d8b859629b25b12198dbf381e7908d9ed884a1d2924db6c03917b79
Opcode Fuzzy Hash: 431b178574f512affdd37aef6dbd1c9444ba02a7feb24240384c735a094be0ec
Instruction Fuzzy Hash: 9BA1A3B4E012288FEB64DF6AC944B9DBBF2AF89300F54C1AAD40DA7255DB305A85CF51

Function 06B1C9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e0a00fbefdc257749e06a87f9f4a0e6722482a203c53f274bb260c64cb6300
Instruction ID: a4fe453c8e67d2af75227ec76607fda15bc2e28e32ad44fee150a890026822d4
Opcode Fuzzy Hash: 94e0a00fbefdc257749e06a87f9f4a0e6722482a203c53f274bb260c64cb6300
Instruction Fuzzy Hash: 2CA1C3B0E012289FEB64DF6AC944B9DBBF2BF89300F54D0AAD40DA7254DB345A85CF50

Function 06B1BD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4c4f9d2792f40a88170f6b9768e8f7269f2b4b0d079860ba1b40a291f7d024e
Instruction ID: 22c95e3b8cbd33e6807b243cc199cec448bc4e4709e49c57da9b0ab1c182f9fb
Opcode Fuzzy Hash: a4c4f9d2792f40a88170f6b9768e8f7269f2b4b0d079860ba1b40a291f7d024e
Instruction Fuzzy Hash: FCA1B3B4E012288FEB64DF6AC944B9DBBF2BF89300F54C0EAD409A7255D7345A85CF51

Function 06B1AA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb6d2cc17d36506a321533fa3be97999a04b1f1c397775c92dc4550f4f516c6
Instruction ID: 8257db2f19b1a7f4aec7e19c4bddef5707244a33cf7bbdd46b4f0c9faab58118
Opcode Fuzzy Hash: 1eb6d2cc17d36506a321533fa3be97999a04b1f1c397775c92dc4550f4f516c6
Instruction Fuzzy Hash: 5BA1A4B4E012188FEB68DF6AC944B9DFBF2AF89300F54C0AAD409B7255DB345A85CF50

Function 06B1B0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e568f3f84b85520c23c56fa80386a8fb23deff8a23e52963d31ea8a67f110ffe
Instruction ID: dfb2d8f5fe1c6bc83a41ce6fc9b89ce989167d466408d5c555888ea5ae636e8d
Opcode Fuzzy Hash: e568f3f84b85520c23c56fa80386a8fb23deff8a23e52963d31ea8a67f110ffe
Instruction Fuzzy Hash: EEA1A3B4E012189FEB68DF6AC944B9DFBF2BF89300F54C1AAD409A7254DB305A85CF51

Function 06B1D028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c48e0e70eecbdf887c93fb9e2acd35a07858ffd7587c26c8832c7b6da0f330
Instruction ID: 84a5605b0ee24dc9aa4b46539a1901cd6e0a6087eb6238ff440462199ffd10de
Opcode Fuzzy Hash: 76c48e0e70eecbdf887c93fb9e2acd35a07858ffd7587c26c8832c7b6da0f330
Instruction Fuzzy Hash: 14A1A2B0E012289FEB64DF6AC944B9DFBF2AF89300F54C1AAD40DA7254D7309A85CF51

Function 06AE1966 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20e6ea81bfddcd7bb18178853ae0abb453ea5e13fc64fab548aa68e745835d6
Instruction ID: e954ac51e6d7ccb4e46aedae22a6b3aa8261c981e0bf7868b46012ef3d4bb9c3
Opcode Fuzzy Hash: b20e6ea81bfddcd7bb18178853ae0abb453ea5e13fc64fab548aa68e745835d6
Instruction Fuzzy Hash: C591E374D00218CFEB54EFA8C984BECBBB1FF49314F249269E409AB291DB749985CF54

Function 06B11191 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94fe418c8235d1bfb7ab75781e69473950a7ccc7a80f302d79de74f5313a68e3
Instruction ID: a8351d9b40161a1a38c2cff8d4fc0a3a2e2904c7b803839086b107bd94d766fc
Opcode Fuzzy Hash: 94fe418c8235d1bfb7ab75781e69473950a7ccc7a80f302d79de74f5313a68e3
Instruction Fuzzy Hash: DB819274E412299FDB65DF29DC90BDDBBB2BB89300F1481EAD849A7254DB305E81CF44

Function 06B1AA4E Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94379760df89866d5ace638697f0beef32b079308c463f17438b83f563039434
Instruction ID: f9e64ee0a146c2e83c7aab9e05c9f6f4e354a3f0dfa74ea226e0cdc60422efdc
Opcode Fuzzy Hash: 94379760df89866d5ace638697f0beef32b079308c463f17438b83f563039434
Instruction Fuzzy Hash: 397185B0E016188FEB68DF6AC944B9DBBF2AF89300F14C1EAD40DA7255DB345A85CF51

Function 06B1B09F Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a064552a5314b943b09b59407762f45c0495aecf4e8c644942f4494d98eb723
Instruction ID: 4552cad79fe23cc7844a2a3f9a501319c78a9127c69397f7e1ef0ea69097ebbd
Opcode Fuzzy Hash: 6a064552a5314b943b09b59407762f45c0495aecf4e8c644942f4494d98eb723
Instruction Fuzzy Hash: 687175B1E006189FEB68DF6AC94479DBAF2AF89300F14C1EAD40DA7255DB344A85CF51

Function 06B1D027 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48dcff9a31cdf1567cc34835daff534b19e12e6f7e59d06b7d66daf67f53f2ab
Instruction ID: 0cf8d2ded3a47e249e2f86206da3c9e11ef4edfc2cef68fd04c7225e85c3c6d8
Opcode Fuzzy Hash: 48dcff9a31cdf1567cc34835daff534b19e12e6f7e59d06b7d66daf67f53f2ab
Instruction Fuzzy Hash: 307185B0E016289FEB68DF6AC94479DFBF2AF89300F14C1AAD40DA7254DB344A85CF51

Function 02C8CD10 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05fd223dedf1bfd8a3c33364765fd31d243d0110d840fb7441eca0e9373d5d15
Instruction ID: b41104435303c21349d88fc176d11120d610466c8026dd36343343cbb1873f0d
Opcode Fuzzy Hash: 05fd223dedf1bfd8a3c33364765fd31d243d0110d840fb7441eca0e9373d5d15
Instruction Fuzzy Hash: BC518374E01218DFDB58DFAAD5849DDBBF2BF89310F24816AE419AB365DB30A901CF50

Function 06B18602 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54873a49538adfeff85f0835d66c8839429a30b921b8d2c2d14fdad86a597271
Instruction ID: 46756affebbca3ac87cbe3f31921b59cc11038361afcb4004560533d03a1a05d
Opcode Fuzzy Hash: 54873a49538adfeff85f0835d66c8839429a30b921b8d2c2d14fdad86a597271
Instruction Fuzzy Hash: EA41D1B0D002088BEB58DFAAD9547DEBBB2BF88304F14D16AC418AB294DB755946CF54

Function 06B1D662 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835cfa7812e6b7fd751f701ebfb70065c4c4e79691e55dd8c71c2bc251450ff9
Instruction ID: 9e0165a27d64ea66bc2ad9cbb0c5b6887cef42bbf52d6076b3a12b8b4d55a37a
Opcode Fuzzy Hash: 835cfa7812e6b7fd751f701ebfb70065c4c4e79691e55dd8c71c2bc251450ff9
Instruction Fuzzy Hash: 17416AB1D016189BEB58CF6BC9457C9FAF3BFC8304F14C1AAD50CA6264EB740A858F51

Function 06B1A3FE Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a21d53d36fc8cbb0fd640782a98d20b1bccb2a98d546a418e184d00854cb9f7
Instruction ID: abbf861910bfe71989dc8900476e7a114952309e8d7d6f3698e7a8570ffbd372
Opcode Fuzzy Hash: 2a21d53d36fc8cbb0fd640782a98d20b1bccb2a98d546a418e184d00854cb9f7
Instruction Fuzzy Hash: 9F4147B1D016188FEB58CF6BC9457DAFAF3AFC8304F14C1AAC50CA6265DB741A868F51

Function 06B1B6E7 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82dfddeeda38bd7ccf3f0a3563a53b3f041743288cc9f4fb341b73a8eb796462
Instruction ID: 904c901cc7c302f185053ed849ef3288272c84a9bf1e0303a3f01180b8d099f9
Opcode Fuzzy Hash: 82dfddeeda38bd7ccf3f0a3563a53b3f041743288cc9f4fb341b73a8eb796462
Instruction Fuzzy Hash: D84158B1E016189BEB58CF6BC9457D9FAF3AFC8304F14C1AAC50CA6264DB740A86CF51

Function 06B1C387 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c93e6c8a0bb93f7333c86687364cc52f176d6735e38e6747c19fab71a41c626
Instruction ID: d3e8e09a41726874538fe8e7c154dbbdf1bd69eab95a060667b57c82f7a49045
Opcode Fuzzy Hash: 7c93e6c8a0bb93f7333c86687364cc52f176d6735e38e6747c19fab71a41c626
Instruction Fuzzy Hash: EC416AB1D016189BEB58CF6BC9457C9FAF3AFC8300F04C1AAC50CA6264DB740A86CF51

Function 06B1C9D7 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26b43a7c7e4aa3d9ce8f797e69584ed19638739d6211e8c5f63e1d105c042f3
Instruction ID: c6cb153c152ced431f04fe08ff09efeae14a8eba753d5d4d9e2f9ff8914e9b5e
Opcode Fuzzy Hash: f26b43a7c7e4aa3d9ce8f797e69584ed19638739d6211e8c5f63e1d105c042f3
Instruction Fuzzy Hash: E1415AB1D016189BEB58CF6BC9457D9FAF3AFC8300F14C1AAC50CA6254DB740A868F51

Function 06B1BD37 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a1b31cacf6389a00963820d856ed9d0e82b58df91fb5b5a89937be39cb5afc
Instruction ID: 6fe616c3ff62eb5da6738c01270d6b11f5552338f37410fc69e8864f9934c852
Opcode Fuzzy Hash: b5a1b31cacf6389a00963820d856ed9d0e82b58df91fb5b5a89937be39cb5afc
Instruction Fuzzy Hash: 76415AB1D016189BEB58CF6BD9457D9FAF3AFC8300F14C1AAC50CA6264DB740A86CF51

Function 02C86E67 Relevance: 10.5, Strings: 8, Instructions: 469
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 02C86F7D
(o]q, xrefs: 02C86F51
(o]q, xrefs: 02C87377
,aq, xrefs: 02C87308
(o]q, xrefs: 02C87367
,aq, xrefs: 02C872F8
(o]q, xrefs: 02C86E96
(o]q, xrefs: 02C8701A

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-1435242062
Opcode ID: a283291ec5774fbc0b97585e772123eb8e939baec7eeb439b6683b6bf456bbf9
Instruction ID: 02af8e9afe2b91e0378d52b62c7e914d331bccf419cfcdceb8705a404e8fdc8b
Opcode Fuzzy Hash: a283291ec5774fbc0b97585e772123eb8e939baec7eeb439b6683b6bf456bbf9
Instruction Fuzzy Hash: CE125C34A00609CFCB14DF69D984AAEBBF6FF89318F258569E809DB261D730ED45CB50

Function 02C887E9 Relevance: 4.1, Strings: 3, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 02C88837
;]q, xrefs: 02C88C2C
4']q, xrefs: 02C88811

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: 4']q$4']q$;]q
API String ID: 0-1096896373
Opcode ID: 85129dca6bb5d0ccf55c85ca2e158dd6287c9edc63b1b6b6de32a368c9d2d0bd
Instruction ID: 8ba16e90b4f7ab0498af4b886dbcd3bae1f690b809707df4b9846f922f1e262b
Opcode Fuzzy Hash: 85129dca6bb5d0ccf55c85ca2e158dd6287c9edc63b1b6b6de32a368c9d2d0bd
Instruction Fuzzy Hash: 0AD1A0703451098FDB15AB29CD58B393796AFC570CF8986BAE102CFBA1EB28DD41C752

Function 02C877F0 Relevance: 3.2, Strings: 2, Instructions: 702
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 02C88337
$]q, xrefs: 02C88314

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: dc8ec358dba89cacf4d1eefaca3b88bee86a19ede33f3992991aa833138a258b
Instruction ID: 48fa1e9b96713e9bb3ff3703f5c4846090470db9b825c84d85318c32bb80cc69
Opcode Fuzzy Hash: dc8ec358dba89cacf4d1eefaca3b88bee86a19ede33f3992991aa833138a258b
Instruction Fuzzy Hash: 35524274A0022DCFEB15EBA4C860B9EBB76FF98304F1081A9C50A6B765CB345E45DF91

Function 02C89C40 Relevance: 3.0, Strings: 2, Instructions: 548COMMON

Download Yara Rule

Strings

(o]q, xrefs: 02C89C78
4']q, xrefs: 02C8A273

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: (o]q$4']q
API String ID: 0-176817397
Opcode ID: 78c73927726fb936886a3f6323286426f2b50e33570a783958cb31a3ee494f19
Instruction ID: bbbdbcb7359d6861c5e1208ed87fdd77fdb22c7756cda3f7674047d0b4e6ef63
Opcode Fuzzy Hash: 78c73927726fb936886a3f6323286426f2b50e33570a783958cb31a3ee494f19
Instruction Fuzzy Hash: 5B324D31600509DFCB15EF68C984A7EBBB2BF88309F15C55AE8069B3A5D731E981CB51

Function 02C856A8 Relevance: 2.8, Strings: 2, Instructions: 265COMMON

Download Yara Rule

Strings

Haq, xrefs: 02C857C6
Haq, xrefs: 02C85793

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: df3e0e1aff5643cde332eb2429b7650f729b79ae30b77e4ee87b3fd4f07904c0
Instruction ID: 30f08057b5f2135263de35c766ec7782efc6dac85d183e60d214fa92b6304360
Opcode Fuzzy Hash: df3e0e1aff5643cde332eb2429b7650f729b79ae30b77e4ee87b3fd4f07904c0
Instruction Fuzzy Hash: 9E91EF307442558FDB16AF38C858B6E7BA2BFC8348F15896AE4468B391DFB9CD01C791

Function 06B19510 Relevance: 2.7, Strings: 2, Instructions: 213COMMON

Download Yara Rule

Strings

(&]q, xrefs: 06B1962B
(aq, xrefs: 06B196EA

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID: (&]q$(aq
API String ID: 0-1602648543
Opcode ID: 2482a3ccc3a6f2e34164a177fd96bef36ffdc27d0dd1231b9deaef0e81b5a1b7
Instruction ID: c127e9f627df330cf69a1377651d80aeb53325f7e7f166b0f319747e5b98e0e2
Opcode Fuzzy Hash: 2482a3ccc3a6f2e34164a177fd96bef36ffdc27d0dd1231b9deaef0e81b5a1b7
Instruction Fuzzy Hash: 83718031F002599BDB55EFB9C8606EEBBB2EF89700F148469D506AB380DF349D42C7A1

Function 02C85C50 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

,aq, xrefs: 02C85CE8
,aq, xrefs: 02C85CDE

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: f00985a4996a448b66e2cdfa5ced22357548ea4d6866c6edd555d4a3ce6dfa06
Instruction ID: 88ead730509694137037a35ae06e02bc5814af1fe8fefd8ff423afc448b402b5
Opcode Fuzzy Hash: f00985a4996a448b66e2cdfa5ced22357548ea4d6866c6edd555d4a3ce6dfa06
Instruction Fuzzy Hash: 8061C175A00505CFCB04EF69C888AADB7F2BF89248B96C16AD802EB365D774ED41CF51

Function 02C895D7 Relevance: 2.7, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

4']q, xrefs: 02C8966C
T, xrefs: 02C895E6

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: 4']q$T
API String ID: 0-2893198943
Opcode ID: d64cc19c3c3a99f116fc04204bfd04bdadbda589093ca7a97371079e2c1b7d62
Instruction ID: 2d48f289cd0796ec3a55f466c41aacb37812c35c7254de392a4436fd925f1cc8
Opcode Fuzzy Hash: d64cc19c3c3a99f116fc04204bfd04bdadbda589093ca7a97371079e2c1b7d62
Instruction Fuzzy Hash: B551D470B042859FDB45AA698890BBEB7B9EFC5308F14C465E402DB351DB78CD41CBA1

Function 02C83428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xaq, xrefs: 02C83435
Xaq, xrefs: 02C8345E

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: Xaq$Xaq
API String ID: 0-1488805882
Opcode ID: b89c964bf51f12654f42691a3c616bd516573b6813fa468ea0add06ebde19d27
Instruction ID: b24b4b01e3bd03ce633ffdebb0b3d231f42c58de62f8b1001de552839ea1db54
Opcode Fuzzy Hash: b89c964bf51f12654f42691a3c616bd516573b6813fa468ea0add06ebde19d27
Instruction Fuzzy Hash: DB315731B003658BDF1DAA6A898437EAAEABFC4A1CF148579D806C3384DF74CD0582A1

Function 02C894B9 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

4']q, xrefs: 02C894E4
4']q, xrefs: 02C894CD

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: 6694174bcabd8e7cc3b752d5968dbbe3a3e46192583540dbe1f22e8aa0336859
Instruction ID: ff561242773b8c14b107258c511c77bab43a121a53d6b7cd81d0ce4100dfe270
Opcode Fuzzy Hash: 6694174bcabd8e7cc3b752d5968dbbe3a3e46192583540dbe1f22e8aa0336859
Instruction Fuzzy Hash: D9F0CD353001042FD7092A69985097B7BDBDFCC3A4B048925BA0AC7350DE75CC1197A0

Function 02C80C8F Relevance: 1.7, Strings: 1, Instructions: 406COMMON

Download Yara Rule

Strings

LR]q, xrefs: 02C80E5E

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: b81ed3b5d5c687bcbc504c31889ee596708be8f1f4a85379d03a93f43e81a305
Instruction ID: 672bd7f9ebdb4fab4f70025ca8c10f79a267f2f99b89c9b3ef57e5e3810ff227
Opcode Fuzzy Hash: b81ed3b5d5c687bcbc504c31889ee596708be8f1f4a85379d03a93f43e81a305
Instruction Fuzzy Hash: 4922FA78A0022ACFCB54EF65E994A9DBBB5FF48304F1087A5E909A7358DB346D46CF40

Function 02C80CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR]q, xrefs: 02C80E5E

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 8a25c44fa29762be5d66760dcf48acdc8da29ce26de14e12bee68518448f123f
Instruction ID: 88a65290fe1caf84f2939d0017a21e8a454caf5b4608582108e7d710dfbd1e38
Opcode Fuzzy Hash: 8a25c44fa29762be5d66760dcf48acdc8da29ce26de14e12bee68518448f123f
Instruction Fuzzy Hash: 2022F978A0022ACFCB54EF65E994A8DBBB5FF48304F1087A5E909A7358DB346D46CF40

Function 06AE8174 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06AE82B6

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b7ad6e786da8a0992d684b0fde368ec8e516500eb1148732d5586c337423ecc3
Instruction ID: bd5d9962cd92dc07378649742099c3ddb2b7e16999b65f5935cca42b392272b8
Opcode Fuzzy Hash: b7ad6e786da8a0992d684b0fde368ec8e516500eb1148732d5586c337423ecc3
Instruction Fuzzy Hash: 251179B4E011098FDB44EBA8D884AEDBBB5FF88314F54C2A5E814E7242D734E941CB60

Function 06B124A0 Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

LR]q, xrefs: 06B12529

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: ef9ec939ea72f01a10a1b43b3ce5f533d4342d8839c37ebd057f0275c0d7c9bb
Instruction ID: 40166368dc7044df7f2c435937d3f562cad95eb13a66c86837c4006cf71c3469
Opcode Fuzzy Hash: ef9ec939ea72f01a10a1b43b3ce5f533d4342d8839c37ebd057f0275c0d7c9bb
Instruction Fuzzy Hash: 9C51D070B101159FCB44EF78C89496E77F2EF88600B5585A9E506DB3A4EB30ED42CBA1

Function 02C8964C Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

4']q, xrefs: 02C8966C

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: e14684695036bee32a25025517ba8ccc3af079d68cea5a251d6904492b092a85
Instruction ID: a0b9fbf4071ecfa62bb01665f4f6dbe16048433e6e87b8c17239fad187e8fa5a
Opcode Fuzzy Hash: e14684695036bee32a25025517ba8ccc3af079d68cea5a251d6904492b092a85
Instruction Fuzzy Hash: 6A41B274B001559FDB55EBA9C880ABEB7EAAFC9308F14C569E402DB350DB34CD41CBA1

Function 02C8A92F Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698d0d963167546d141a32e993e556f95b7c69aaab1e2cde738952df78f7469e
Instruction ID: 3c447083374c768ad556fd79e1f75dfadccfbe2acf7aba00290f4d028d4214a5
Opcode Fuzzy Hash: 698d0d963167546d141a32e993e556f95b7c69aaab1e2cde738952df78f7469e
Instruction Fuzzy Hash: 0EB1F971A40554DFCB04DF9CD584AADBBB6FF8C318B1AC09AE505AB261C735ED81CB50

Function 02C87438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a11cff305938cdd0213db834db569c3e9ea75e6574fdb63ea8ac9781fc47233
Instruction ID: a04b9412038bdbdd832e9f4211203cf5a2fa45ee961e59a508af4ceee991d037
Opcode Fuzzy Hash: 6a11cff305938cdd0213db834db569c3e9ea75e6574fdb63ea8ac9781fc47233
Instruction Fuzzy Hash: FA711E387002058FCB15EF29C498AADBBE5AF89609F2584A5E505CB371EB71DD45CB90

Function 02C8CEC7 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df93bd60e37b6430afc55d4de6e1e6cd6114d51203d0c83a1342a798d860e2a1
Instruction ID: 7a0ac85d6a0fa51bfd73435bbf8df15f3c0eae6dfa3f419115a57d0cc00a641f
Opcode Fuzzy Hash: df93bd60e37b6430afc55d4de6e1e6cd6114d51203d0c83a1342a798d860e2a1
Instruction Fuzzy Hash: D251A0709A63478FC3142F64A1AC2AABFB8FB4F31BB056E40F04F86819DB705469CB15

Function 02C8CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6fdde041c5c8ba612d02cc8138aff7ee9fb9ad019b692a8fcd195b5e523a3e
Instruction ID: e46e2f3b00f50703d0850dfc1e5ff83149de28f6234ada3842d132c99b53fc15
Opcode Fuzzy Hash: de6fdde041c5c8ba612d02cc8138aff7ee9fb9ad019b692a8fcd195b5e523a3e
Instruction Fuzzy Hash: 8D51A0709A63078FC3142F64A1AC26EBFB8FB4F32BB446E00B01F86819DB705465CB25

Function 02C8990D Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ef210faf3ce830367684fa7f887e1d96430016fdf89085897c01c9521390a8
Instruction ID: c967c8c53807534b1d87fee06ecce280f118f353805a64b1ca83ab92b5507a9f
Opcode Fuzzy Hash: 45ef210faf3ce830367684fa7f887e1d96430016fdf89085897c01c9521390a8
Instruction Fuzzy Hash: 1D616570E00259DFCF06DFA4C844AEDBFB2BF89308F14855AE805AB361D7349A55CB90

Function 02C8E2E5 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68471ff33c23f7998e03d94536c6e6636a421791d5bcdaa7bf59240b96ce00de
Instruction ID: 0c8c98b233faf075f9ab51125835b9ab61597a26f71b5964abce5bfba8ae114a
Opcode Fuzzy Hash: 68471ff33c23f7998e03d94536c6e6636a421791d5bcdaa7bf59240b96ce00de
Instruction Fuzzy Hash: F7511474E00318DFDB14DFA5D954AAEBBB2FF88304F208629E809AB355DB395946CF41

Function 06B1DCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555f8326f39538f3481dae827da4b685f14afb9667ca4f37114e3724cedf1534
Instruction ID: cef5abf17aea717b3fe0b87c025c435990dd7ebdfc9d55ac1ac4bd6a2516f191
Opcode Fuzzy Hash: 555f8326f39538f3481dae827da4b685f14afb9667ca4f37114e3724cedf1534
Instruction Fuzzy Hash: 5441AC75901319CFDB00AFB1D05C7EEBBB1EB4A316F5499A8D102672D4CBB80A45CF94

Function 02C83908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b3d1d0f7d21ad1319ccd2bfe31055b0f5c1fff4530871abe801040b69fa6354
Instruction ID: 69144aee9b8cf155073abcaf75400ef067f0c2e9ba983308f12dd768bea76917
Opcode Fuzzy Hash: 0b3d1d0f7d21ad1319ccd2bfe31055b0f5c1fff4530871abe801040b69fa6354
Instruction Fuzzy Hash: 36519675E01219CFCB08DFAAD59499DBBF2FF8D304B209569E509AB324DB31A946CF40

Function 06B19500 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33f994ec9a3887995e9d5d88910347bbb5d03581d19ece6bd5cf81239bfa02b
Instruction ID: 42f64e3d0d0a2a84ad77ae37d39349119c591a8df4a7c94ed388343cbaf565b0
Opcode Fuzzy Hash: f33f994ec9a3887995e9d5d88910347bbb5d03581d19ece6bd5cf81239bfa02b
Instruction Fuzzy Hash: 79417371E00219EBDB14DFA5C890ADEB7F5FF88700F148169E415BB280DB70A942CBE1

Function 02C8D7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5ef5a1850a7772c3316df00dd55321e009eb4484d3a3c386dddb36fd3dcccc
Instruction ID: d27a709b6cc4ccab6e8c39d2b13211617c184153d682d05f6cb6c3614136d6b9
Opcode Fuzzy Hash: 1e5ef5a1850a7772c3316df00dd55321e009eb4484d3a3c386dddb36fd3dcccc
Instruction Fuzzy Hash: BA410674D04208CBCB04EFB9D484AEDBBB2FF49309F60D519D41AA7289D775A882CF55

Function 06B19A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a2d46da57a135bc612ff63a06a3cdb4cd640efaa043033b8e8356f88fb18ce
Instruction ID: 7fbbad1b0d2492a4a9ef2d77714825ba2489598ea4f4ac0af3842d193a3a0e64
Opcode Fuzzy Hash: a3a2d46da57a135bc612ff63a06a3cdb4cd640efaa043033b8e8356f88fb18ce
Instruction Fuzzy Hash: 9A41EFB4E00218DFCB04EFA9D5946EDBBF2BF49304F10912AD409B7294DB346A4ACF50

Function 06B19A55 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41df6dc71c1ad5fecf29af0d81334f2e784631f2a58373c04acaa345d22e0d1
Instruction ID: e065ba09e2ad45be14b3f724afafc2d22ceba54d2edc67500c42f2c211d0b80c
Opcode Fuzzy Hash: f41df6dc71c1ad5fecf29af0d81334f2e784631f2a58373c04acaa345d22e0d1
Instruction Fuzzy Hash: D641EFB4E00218DFCB44EFA5D5947EDBBB2BF49304F24912AD419BB294DB346A4ACF50

Function 02C8D76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611b0d29077bf2eed3a2d7dd63e08ce652e18c063a20c8c4faa86cac3103a150
Instruction ID: 69ef4b884a7a2da25bb7df934f2f1851ff5c1697e57cf51b00cf2bf357471671
Opcode Fuzzy Hash: 611b0d29077bf2eed3a2d7dd63e08ce652e18c063a20c8c4faa86cac3103a150
Instruction Fuzzy Hash: 2B41F474D01218CFCB04EFA9D4846EDBBB2FF49319F60D619E406A7289D735A982CF54

Function 02C89390 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac47f18175bae58de9c44d91451a4119e980fdb5f4b5201eb6ea406f25f687f9
Instruction ID: 3ec793dc5ea2fca4447c69f5fa3504fe90045bab1fb461f2c0b37c1b45c5a72c
Opcode Fuzzy Hash: ac47f18175bae58de9c44d91451a4119e980fdb5f4b5201eb6ea406f25f687f9
Instruction Fuzzy Hash: 8E415A306002558FDB01DF68C844BAABBA6EFC9318F54C4A6E908CB3A6D771EE45CB51

Function 02C8D620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c587582e4ae91a4228850cf90d42f463d2222bf9396a1459efbbf0c9f571a366
Instruction ID: 2a7770c43bd883981812d907f14f74cbd237255dab97941896d6de2e39f15c98
Opcode Fuzzy Hash: c587582e4ae91a4228850cf90d42f463d2222bf9396a1459efbbf0c9f571a366
Instruction Fuzzy Hash: 63412470D01208CBCB04EFBAD444AEEFBB2BF89309F54D529D405A7299DB759942CF54

Function 02C84DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5624a9d461333a577d45a65bf38603fcce1c3321ce7b28b486a80d3deb744cc8
Instruction ID: e912da38523a54f5d652e005250097e15b895c465daa4bad249659a56bc38208
Opcode Fuzzy Hash: 5624a9d461333a577d45a65bf38603fcce1c3321ce7b28b486a80d3deb744cc8
Instruction Fuzzy Hash: 3631727164015B9FCB15AF69D854AAF7BA6FB88309F008414F9158B250CB39DD66CBE0

Function 02C8A65F Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479828937525d4e5c266c399671d7b683f8c8a4cc5f329662cc96dc0ed1f0d51
Instruction ID: 10c0fe93d0b252f913346b41b114afea3d1e49972deea30b5fc86c0fcb550962
Opcode Fuzzy Hash: 479828937525d4e5c266c399671d7b683f8c8a4cc5f329662cc96dc0ed1f0d51
Instruction Fuzzy Hash: C031AF35B002449FCB04AF78D8547AE7BB6BBCC214F148569D902E7391CE359C16CBA4

Function 02C892DF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e1e528a472f1ed5a662bae442c2eccac529f4ee69a0b9266498c74d4b8aab6
Instruction ID: 199ce8de05548aa2f1e94b73bcd08392686f7516af7b4129858ca84ee373df1e
Opcode Fuzzy Hash: c3e1e528a472f1ed5a662bae442c2eccac529f4ee69a0b9266498c74d4b8aab6
Instruction Fuzzy Hash: 3231B030A01645DFCB12DF2CC8809AABBB5FF89324F5485A6E849D7311C731E916CBA1

Function 02C876D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d55c12d5a5c4a8a2cee6b247ad9d840670ed00c2dba638a4d55a7fa3ebd0890
Instruction ID: ad6ee90ff6f316edc00b960afc9c26bffd38f36d29890df1b721cf25a3fc128d
Opcode Fuzzy Hash: 8d55c12d5a5c4a8a2cee6b247ad9d840670ed00c2dba638a4d55a7fa3ebd0890
Instruction Fuzzy Hash: BA21D6383042414BEB1627398D94B3DBAD79FC961DB2880B9D506CB795FF28CC4AD781

Function 02C8A84F Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf43b10456ebdc15e63fa97c91a339c7210f2c386bfdc7e83b72c69eb7dc6b4
Instruction ID: 6a6a86e6ed3d43fe718176ba3f9a780357de95a9358aab12fe7ee851711557cd
Opcode Fuzzy Hash: bdf43b10456ebdc15e63fa97c91a339c7210f2c386bfdc7e83b72c69eb7dc6b4
Instruction Fuzzy Hash: 76310771E042098FC705DF69C8846AEBBB2FF89318B15C05AD4519B3A6C7359D52CBE0

Function 02C8DF79 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a7faa263cc599101d455cfd8f1398784059a3ff48a973c9f500400ca56e535
Instruction ID: d061f78552af5f4b6c9c73fd9080498c2b9e35c19ad70bb9008d7d7bce0b16b3
Opcode Fuzzy Hash: d6a7faa263cc599101d455cfd8f1398784059a3ff48a973c9f500400ca56e535
Instruction Fuzzy Hash: 84210F30E002088BDB09EFBAD8046EDBBB2AFCA308F04D465D400B72A5DB319546DF55

Function 06B1DCB1 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db710149708d0e92ba9c70da214ee0f6cb1f7b20b9adb9fd1ce894df41c38320
Instruction ID: 4bedab2c7fcd8e12327c01ac1e7cdb961d5ce6e52dcb4b434f9490809cf49e2f
Opcode Fuzzy Hash: db710149708d0e92ba9c70da214ee0f6cb1f7b20b9adb9fd1ce894df41c38320
Instruction Fuzzy Hash: 41319A7180021ADFDB00AFA5D05C3EEBBB1FF4A316F0489A8D00266295CBB81A45CF94

Function 02C876E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04713dcdb24cf0b713b04be5cacc7f310da30a49a96efacc7168c07c1c88e973
Instruction ID: d32438e5b0ef05cdcf1dbad62040e510469bb48599e95691ef9052d205b42208
Opcode Fuzzy Hash: 04713dcdb24cf0b713b04be5cacc7f310da30a49a96efacc7168c07c1c88e973
Instruction Fuzzy Hash: BF21A13C3002014BEB16262A8994B3AB6879FC861DF28C078D506CB798FF29CC46D381

Function 02C82060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca95bf50a6cb69bfcd5c761b5328c002a147f2eb3a328a03f6cc2c64316c828d
Instruction ID: d0eddde38f5948abb86ea6649964c7de2bdbc1af602f97ac352c8cddab56e727
Opcode Fuzzy Hash: ca95bf50a6cb69bfcd5c761b5328c002a147f2eb3a328a03f6cc2c64316c828d
Instruction Fuzzy Hash: 2B21A135A001559FCB14EF64D844AAE37A5EB98258F10C519ED098B244EB35FE46CBD3

Function 02C85A63 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e7b4bc3afa3142728c6ddc6302eadbe3eec58880abe7a6163ebc94964b3d3cc
Instruction ID: 0ef18e0d90b71370c81adcb98bbeff4a32423394d7d176b3f735ee6e95740239
Opcode Fuzzy Hash: 9e7b4bc3afa3142728c6ddc6302eadbe3eec58880abe7a6163ebc94964b3d3cc
Instruction Fuzzy Hash: 5C21C535744A119FC316AA25C4A457FB7A2FFC969C70685A9E806DB350CF75DC06CBC0

Function 0132D404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500349924.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_132d000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a8d518a0d8ba40c7886b9fe832843ac0ec25afa4bb7486a5d7dae889f94555
Instruction ID: 71fc4b5c81f0a32eee1614bfe99ae827d9767b57d8c0038c0e45738e9e64bb1d
Opcode Fuzzy Hash: 89a8d518a0d8ba40c7886b9fe832843ac0ec25afa4bb7486a5d7dae889f94555
Instruction Fuzzy Hash: 48216771504244DFDB05EF98D9C0F66BF69FB88318F20C169E9091B657C73AE406C7A1

Function 02C89B94 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce908fb141a409cf955e2144c2f03dfe6155b2571e1bc6b4575bd279992e9732
Instruction ID: b390b0ffb6b98c453f8e32a8fc5b4431a0c368b0a47aa6fde00528f4fd148004
Opcode Fuzzy Hash: ce908fb141a409cf955e2144c2f03dfe6155b2571e1bc6b4575bd279992e9732
Instruction Fuzzy Hash: 9531AD31704684CFCB21DF68D884B697BB2EF8A318F05869AE5459F3A2C331E810CB61

Function 0133D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500392305.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_133d000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97f4eb733a7a45aa9d898f23e6902b22e211d896964b2d098a3b30b982ac0db
Instruction ID: 17c0c6a5bd9e28b577d48089a90fb9f148438bb00895574548750289d1bcdb9e
Opcode Fuzzy Hash: a97f4eb733a7a45aa9d898f23e6902b22e211d896964b2d098a3b30b982ac0db
Instruction Fuzzy Hash: 0D2122B15042089FCB15CFA8C9C0B26FB69FBC4718F60C66DE9490B352C73AD446CA66

Function 02C8215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a36b308b8d39a6ca54fd2b06a18111cc6a70bc1f1b522e6ffc51926a969c766
Instruction ID: 2744ad30f58a942268aa86cde53a58e19b46cce45ae97f8b8b924ab5bc6a2954
Opcode Fuzzy Hash: 3a36b308b8d39a6ca54fd2b06a18111cc6a70bc1f1b522e6ffc51926a969c766
Instruction Fuzzy Hash: 66115E35E042599FCB019BB89C104EEBB35FF8A310B258796D566B7051EA31290BC792

Function 06B196F0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc931e26a4f45c83d55e40d2dbfcc44bf3d24514dee57545b9d5dcdf0a32d32
Instruction ID: 3bc95e0409c496fcb71c44b118633d9f27ed44f8f9a4295dad468049b53cad9f
Opcode Fuzzy Hash: ccc931e26a4f45c83d55e40d2dbfcc44bf3d24514dee57545b9d5dcdf0a32d32
Instruction Fuzzy Hash: 2811C8363043541FDB466EB858645AF7EA7EFC9250B144869E507CB3D2DE398D02C3A6

Function 02C84DBB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897de0b5f64d06208ec7896327580eeaa9bdf50ddcf270bf6d4938fde50f4daf
Instruction ID: 24473c012e093b1a7b858f171ca3be883836d8d536bc842b4c84cbc8b0a23e93
Opcode Fuzzy Hash: 897de0b5f64d06208ec7896327580eeaa9bdf50ddcf270bf6d4938fde50f4daf
Instruction Fuzzy Hash: 7421F6726041969FCB25AF68D45476B7FA2FF8831CF008469F8458B241CB38DD16CBE4

Function 02C88EC1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d418794e2100f6e8930746c8c871c1950e7c7f4a0e4b80d2da3dccf294ec1b
Instruction ID: c2ddb4cfb7f5bfbaf420506973436239eb7a2906e1342a8cd8b5a5a6cff1cd8c
Opcode Fuzzy Hash: 94d418794e2100f6e8930746c8c871c1950e7c7f4a0e4b80d2da3dccf294ec1b
Instruction Fuzzy Hash: A3217A74E0025D9FCB04EFA5D550AEEBFB2BF88308F14816AE411E7294DB329A01CF50

Function 02C8D60F Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3969223a0c86877b18f41954b5a2160caba2c8b1d9823234b1e99cb4f57f0ef8
Instruction ID: 302c46c4e2dab0ec3e11845463e316ff21072a0f5aea536b41ab86db714165a8
Opcode Fuzzy Hash: 3969223a0c86877b18f41954b5a2160caba2c8b1d9823234b1e99cb4f57f0ef8
Instruction Fuzzy Hash: AC115670D002089BDB08EFBAD4446DEFBB2AFCE305F08C569D409A7299DB305546CF94

Function 02C85A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cff8c7083efae6c1a4b58dcc822866fec4233feb4ac082f1acc6efbe47895f2
Instruction ID: 178772101add4ba2dc4ea36ffe152fc769b35d94141cc1c602ba91ec0d726afd
Opcode Fuzzy Hash: 3cff8c7083efae6c1a4b58dcc822866fec4233feb4ac082f1acc6efbe47895f2
Instruction Fuzzy Hash: 7B11C2357409129FC7196A2AC498A3EB7A6BFC869D7568178E806CB350CF71DC06CBC0

Function 02C85B4F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 876187be4796ed60bcf57a14cd0c289daf8ab5340bbb546d5b61ea43cf00efb9
Instruction ID: 893201dbab5dd8fdc90978cebec105c8de3096246bd80519fd3edca144749160
Opcode Fuzzy Hash: 876187be4796ed60bcf57a14cd0c289daf8ab5340bbb546d5b61ea43cf00efb9
Instruction Fuzzy Hash: 28118E703006068FC350AF7ED094A2AB7D5BFD968876584BDD60ACB3A1DFA6DC05C7A4

Function 06B19999 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087093650e71db6c90088fc0ae8f0e74b1021e96f018ab6167bbe2c377fe0f4c
Instruction ID: 75c42aaf043394996d2f6770d92a9b8e4b88f2664b514e279fea4d7084d7a526
Opcode Fuzzy Hash: 087093650e71db6c90088fc0ae8f0e74b1021e96f018ab6167bbe2c377fe0f4c
Instruction Fuzzy Hash: 7F1126B6800389AFDB10DF99C845BDEBFF9EF48320F148459E518A7251C339A554DFA1

Function 0132D3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500349924.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_132d000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 6f4d2d12dcc9ff9b94729b36107f619ac95641b083f99fb34879d316083d9d83
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 8611E172404280CFCB12DF44D5C4B56BF71FB84328F24C5A9D9090B657C33AE45ACBA2

Function 02C81F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3847ed565080f790f24e1c979d47b543ded66d87dba5c8150e43e5a5e19f548f
Instruction ID: d5ca6b26056d46068554295fd35dfa5ad21b90023214099ba7da0af160166d33
Opcode Fuzzy Hash: 3847ed565080f790f24e1c979d47b543ded66d87dba5c8150e43e5a5e19f548f
Instruction Fuzzy Hash: BA21F274D0564A8FCB41EFA8D8455EDFFF0BF0A304F14866AD809B3250EB301A55CBA2

Function 06B1E0CD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af4566756e401c3d7d3df3a912a2e00d63db9f853d9d2f39f1964488703421f
Instruction ID: f66bd21e0d712150207b5ea33139407143766fb5e99f3a2209daab50334d7498
Opcode Fuzzy Hash: 6af4566756e401c3d7d3df3a912a2e00d63db9f853d9d2f39f1964488703421f
Instruction Fuzzy Hash: 9A01B5707042549FD7041A7A58586BBBAAFBFCA310F548976E906C7396CE38CC1683B0

Function 02C8E205 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a938a6a2dbc4b97842311a5c5da2835c3edd57fb5f7dd3ca8652de5154a8d4e3
Instruction ID: fd42eb1ee9ee74d13990567037dca56f26ba6f570390a102b764d7c22cecbf87
Opcode Fuzzy Hash: a938a6a2dbc4b97842311a5c5da2835c3edd57fb5f7dd3ca8652de5154a8d4e3
Instruction Fuzzy Hash: 18213D74D0021A9FCB45EFB9D540A9EBFF6FF49304F10C6A9D01597229EB349A0ACB81

Function 02C81F08 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18311ae3af57453d881b64026879b49d5712c5a574a7253906102d83d979c0a
Instruction ID: 77f03b7b3af63e2a432c8edd13a820dfb40166f5316d845779da47793d754bab
Opcode Fuzzy Hash: b18311ae3af57453d881b64026879b49d5712c5a574a7253906102d83d979c0a
Instruction Fuzzy Hash: A2213674C0460A8FCB00EFA8D8445EEBFF1FF49308F14866AD845B7264EB305A45CBA1

Function 06B19350 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17c1b50425d5ded157ffa7801b01b5b870f7dbad7fa511f4c1239c13d52628fc
Instruction ID: f9f1e7a7d612a9faba1b7b3f90dcfc5fa145ce8509a409f9585044346d514167
Opcode Fuzzy Hash: 17c1b50425d5ded157ffa7801b01b5b870f7dbad7fa511f4c1239c13d52628fc
Instruction Fuzzy Hash: FD1156B6800349EFDB10DF99C804BEEBFF4EB48320F148459E918A7210C339A554CFA5

Function 02C8E208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414f56da6f2df613aa7c49578c6c7001d5371433b14622a806e0fa0859e4576b
Instruction ID: 7286807701d2af0db59bc1b6da924824b12157b3bca2403ea64db499b02d976e
Opcode Fuzzy Hash: 414f56da6f2df613aa7c49578c6c7001d5371433b14622a806e0fa0859e4576b
Instruction Fuzzy Hash: DA114F74D0021ADFCB45EFA9D540A9EBBF5FF49304F50C6A9D01497319EB349A06CB81

Function 06B18EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7775ccac696e41d79b8d898b377effcf150fa65b669ce4fd99db16ac0904692a
Instruction ID: 3e7d85a356593a2e5d902b2c3f627b53bbd5a5fdda7a710a21c5ca827ec963f0
Opcode Fuzzy Hash: 7775ccac696e41d79b8d898b377effcf150fa65b669ce4fd99db16ac0904692a
Instruction Fuzzy Hash: 74112A75E001499FEB00DFE8D850BEEBBB2BF48315F8095A1E908AB349E630D9428B50

Function 0133D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500392305.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_133d000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: a58085fd252a648b7492060d1fe94f1a7e7c3e88e322d7a43a9e4e42ec974c4b
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 2111DD75504284CFDB12CF54C9C4B15FFA2FB84318F24C6A9D8494B252C33AD44ACF62

Function 02C85607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138442a8e1d8b93fc8c85e3e4226535430c397359fc5e69731c2a91d7dda7f71
Instruction ID: cd3cb7ea5a15efa854b6fd124b73e36058615454f35c4e295163a39524c6cbdb
Opcode Fuzzy Hash: 138442a8e1d8b93fc8c85e3e4226535430c397359fc5e69731c2a91d7dda7f71
Instruction Fuzzy Hash: 3801F571B041156FDB02AE689810AAF3FE7DBC9395B19C06AF505C7294CE758C16C7A0

Function 06B1267D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2c29be190b050757003e4cd216b2d29dc4052aff04f1d2ec4f7a1eb70cff3b
Instruction ID: f1ab370b88683a9f5a301118a55181d4fc8a054934c178f88f8cbe37abceac96
Opcode Fuzzy Hash: 5d2c29be190b050757003e4cd216b2d29dc4052aff04f1d2ec4f7a1eb70cff3b
Instruction Fuzzy Hash: 1E0148B5F502249FC794EB78D50865E7BF4FF4832571506AAE41AEB324DA31DD018B90

Function 06B125E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1ebf279dbfc14030165210603a131fafe36ed9a5381708d1c012795d19d865
Instruction ID: 255c2ebc4de818de0f2c36986c5ecc95b7ddc971f81a513850e543c5850b3f0d
Opcode Fuzzy Hash: 7f1ebf279dbfc14030165210603a131fafe36ed9a5381708d1c012795d19d865
Instruction Fuzzy Hash: D501B670E002199FCF54EFBAC9006AEBBF5BF49205F50856AD519E7250E7385A02CF91

Function 02C8D449 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c53842ce23316728cd3a719a6f1350b311235c532bc73930b3a5ab3775dd78c
Instruction ID: a1ad01120f369928ea181a11293549314675dcc5a95ac8ec562206259fe6fbc9
Opcode Fuzzy Hash: 1c53842ce23316728cd3a719a6f1350b311235c532bc73930b3a5ab3775dd78c
Instruction Fuzzy Hash: 26F0E530A08389D7D706AF7AA808AEABB789BC7300F4054B4E544E7196C7716229DF96

Function 02C8DF08 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad02fd1f8b2fa764423faff2deb84f3eb8421ab381c841b36c9da605543ff75b
Instruction ID: 210981074c6f9951a2ad79009f16d13474254cf408725be4cd5914634bf948c0
Opcode Fuzzy Hash: ad02fd1f8b2fa764423faff2deb84f3eb8421ab381c841b36c9da605543ff75b
Instruction Fuzzy Hash: A3F0E534904345DFD706EF79A4046AABBB8EB8B305F449864D405A3092CB71951CCB91

Function 02C8D4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0b3fa390f7758cd41205cb8cd1294cc98d2154dd3acec8deab05d2999cf656
Instruction ID: 32efa7d6c5e6d744ae7b9db7ac7347d2b7188bdcbd6b04045118313c23a3d1ce
Opcode Fuzzy Hash: fc0b3fa390f7758cd41205cb8cd1294cc98d2154dd3acec8deab05d2999cf656
Instruction Fuzzy Hash: 05E026E2C08144CBD329ABB764260B9BF74CDE7319B84E0D7D08BDB5A5D228E216DF11

Function 02C8201B Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a32bcf6c46629502e56796986c1579b2f3ddfd2012de17fd4eea7ee0c2a749
Instruction ID: 6c3bad0669116ac9782394be5b86009a6bcb5ce5924e659206495640dc93570b
Opcode Fuzzy Hash: e0a32bcf6c46629502e56796986c1579b2f3ddfd2012de17fd4eea7ee0c2a749
Instruction Fuzzy Hash: 34E0C231D2026786CB21EBA0A8444EEBB34EED6364B50472AD41836000EB302A5AC6A1

Function 02C82020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c35334365acca33bac5a368b829fc271e0d3db65ced8347aa97fd71a414a0e5
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: 9c35334365acca33bac5a368b829fc271e0d3db65ced8347aa97fd71a414a0e5
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Function 02C88258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: b6a80db0bac9312e88e8481ff0af2401212e5d625faa6b3ed71f3f0c2db40517
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 62C08C3320C12C2AAA34708F7C40EB3BB8CC3C23F8A654237F91CE3640A942AC8041F9

Function 02C8A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247414b49b8c32ab10511d32e184366bc66ac55f69fc3db4f26016aface6d87b
Instruction ID: 262dc9373124bfe527a014db32f1768ebdcffc207a7597e3c519d7de73100291
Opcode Fuzzy Hash: 247414b49b8c32ab10511d32e184366bc66ac55f69fc3db4f26016aface6d87b
Instruction Fuzzy Hash: 76D0677BB410189FCB049F98EC409DDBBB6FB9C221B048516E925A3261C6319921DB60

Function 02C85EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cab55563d45dc4b40e1b52406cfb165a597fbe42a629f66d39b2e2631d08c2c
Instruction ID: 6887123affd5f691868afb3c0044c0a12a4b0e9b3caa835842542de4d986eed3
Opcode Fuzzy Hash: 1cab55563d45dc4b40e1b52406cfb165a597fbe42a629f66d39b2e2631d08c2c
Instruction Fuzzy Hash: 53C0127454471A4BC549FB76FA45916376EBBC4208F504B20E00A0612DEF7C684987D4

Function 02C85EB7 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 389a75ac11f24415421f981b6137dea9a695878e3cb92fe99dfe72e3e476e890
Instruction ID: 051ea32611010ac8f47e2c85e8d8fde6a9527b2e8eae83f57c5a1de388eeeb73
Opcode Fuzzy Hash: 389a75ac11f24415421f981b6137dea9a695878e3cb92fe99dfe72e3e476e890
Instruction Fuzzy Hash: E7D022345403060ACA09FB36F6818993B3BFFC0208F204B20E0060602DDF79480BCB80

Non-executed Functions

Function 06B128B0 Relevance: 23.0, Strings: 18, Instructions: 461COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06B12CF6
Lj@p, xrefs: 06B12D67
PH]q, xrefs: 06B12BFE
PH]q, xrefs: 06B12EE6
PH]q, xrefs: 06B12DEB
", xrefs: 06B13087
Lj@p, xrefs: 06B12B7A
Lj@p, xrefs: 06B12C5C
Lj@p, xrefs: 06B12B64
PH]q, xrefs: 06B12DD7
0o@p, xrefs: 06B12A00
Lj@p, xrefs: 06B12E49
Lj@p, xrefs: 06B12E5F
PH]q, xrefs: 06B12BEA
Lj@p, xrefs: 06B12C72
Lj@p, xrefs: 06B12D51
PH]q, xrefs: 06B12ED2
PH]q, xrefs: 06B12CE2

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID: "$0o@p$Lj@p$Lj@p$Lj@p$Lj@p$Lj@p$Lj@p$Lj@p$Lj@p$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q
API String ID: 0-1947560563
Opcode ID: abb60e765d858ec05b862499a72567d4d34a65c4826ddc18dedab204f49dc6da
Instruction ID: 94d7afc29380e8d9eb97a8f99e7e5fec9fde8f932829a873c279a3f88af8f78b
Opcode Fuzzy Hash: abb60e765d858ec05b862499a72567d4d34a65c4826ddc18dedab204f49dc6da
Instruction Fuzzy Hash: EE3290B4E002188FDB64DF69D944B9DBBB2BF89300F1081E9D809AB365DB759E85CF14

Function 06B12809 Relevance: 14.2, Strings: 11, Instructions: 420COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06B12CF6
PH]q, xrefs: 06B12DD7
0o@p, xrefs: 06B12A00
PH]q, xrefs: 06B12BFE
PH]q, xrefs: 06B12EE6
Haq, xrefs: 06B12869
PH]q, xrefs: 06B12BEA
PH]q, xrefs: 06B12ED2
PH]q, xrefs: 06B12DEB
PH]q, xrefs: 06B12CE2
", xrefs: 06B13087

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID: "$0o@p$Haq$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q
API String ID: 0-401091292
Opcode ID: 5c0c05ff48f658b41e480f4f9f05e85aa981b81155c521dec205c084677f5133
Instruction ID: 476f47cb64cde99167b3f3669b82294f58fa2dd7c673a7b7a42472ed91ae2274
Opcode Fuzzy Hash: 5c0c05ff48f658b41e480f4f9f05e85aa981b81155c521dec205c084677f5133
Instruction Fuzzy Hash: FB12E5B4E002188FDB58DF69D954B9DBBF2BF89300F1081A9D809AB365DB359E85CF50

Function 06B12807 Relevance: 14.1, Strings: 11, Instructions: 387COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06B12CF6
PH]q, xrefs: 06B12DD7
0o@p, xrefs: 06B12A00
PH]q, xrefs: 06B12BFE
PH]q, xrefs: 06B12EE6
Haq, xrefs: 06B12869
PH]q, xrefs: 06B12BEA
PH]q, xrefs: 06B12ED2
PH]q, xrefs: 06B12DEB
PH]q, xrefs: 06B12CE2
", xrefs: 06B13087

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID: "$0o@p$Haq$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q
API String ID: 0-401091292
Opcode ID: 5e52d99a5d1d7f41d3e3f725673370d197fc02a9fd1af95de5e292458a1eeb1e
Instruction ID: 16e2a14e44a9b7c1f2a2a2b0295abf3004e3f914baeed37e9b9684917daf50bb
Opcode Fuzzy Hash: 5e52d99a5d1d7f41d3e3f725673370d197fc02a9fd1af95de5e292458a1eeb1e
Instruction Fuzzy Hash: 7912D5B4E002188FDB58DF69D954B9DBBF2BF89300F1085A9D409AB365DB359E85CF10

Function 02C8E528 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5uq, xrefs: 02C8E643

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: .5uq
API String ID: 0-910421107
Opcode ID: b4423cb8d3e779fd5df24a2d19d170f4af95e0444780277b1f61acdab0037ab7
Instruction ID: 1c02e4d9aec89b6cf14ad29a44878334ee3b12dd0a1c67c1bd0a52e163d7a14e
Opcode Fuzzy Hash: b4423cb8d3e779fd5df24a2d19d170f4af95e0444780277b1f61acdab0037ab7
Instruction Fuzzy Hash: 09529C74E01229CFDB64EF69C884B9DBBB2BF89304F1085E9D409A7254DB35AE85CF50

Function 06B133B8 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

0o@p, xrefs: 06B13423

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID: 0o@p
API String ID: 0-848860569
Opcode ID: 58375bb28ff56f7248cf3335aef259b3079d5f4aeca04926dc5cd3e62b869998
Instruction ID: 7a71625f6978e21ec0389fe87e4c3d0f7a4a8669375e64258b064bb5bca27a70
Opcode Fuzzy Hash: 58375bb28ff56f7248cf3335aef259b3079d5f4aeca04926dc5cd3e62b869998
Instruction Fuzzy Hash: 1CB19274E00218CFDB54DFA9D884A9DBBF2FF89310F2481A9D819AB365DB34A945CF50

Function 06B133A8 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

0o@p, xrefs: 06B13423

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID: 0o@p
API String ID: 0-848860569
Opcode ID: 655162b845b1d8b4f92bd61541876ffbb7444045e423976f373d658b065db282
Instruction ID: c50b9a7b77c44927f408690caa86820baaaa08c9903119728a9850536560f0f8
Opcode Fuzzy Hash: 655162b845b1d8b4f92bd61541876ffbb7444045e423976f373d658b065db282
Instruction Fuzzy Hash: 5F51A6B4E00618DFDB48DFAAD48499DBBF2BF89310F148169D419BB365EB34A942CF50

Function 06AECAA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ee99e13b3c134e14c75df051a7cae0c1288315a85a770b1f517b806a334ab3
Instruction ID: 5eab618f2771ad118018a9717dec48f9150c06da7c5633dc954eef2caad3f0d3
Opcode Fuzzy Hash: 45ee99e13b3c134e14c75df051a7cae0c1288315a85a770b1f517b806a334ab3
Instruction Fuzzy Hash: ABC1F374E00218CFDB54EFA5C984B9DBBB2BF89304F2081A9D819AB355DB359E85CF50

Function 06AE04A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027d7dd6da11c19a6f5abe0c8856f72b7b6bd40ac2eed26b183ee2562bb49c88
Instruction ID: 062551f3a9c326e964ea5ca4b84e8f73f880ba75e5a1c72df7ad33963c2a7f2f
Opcode Fuzzy Hash: 027d7dd6da11c19a6f5abe0c8856f72b7b6bd40ac2eed26b183ee2562bb49c88
Instruction Fuzzy Hash: F8C1C074E00218CFDB54DFA5D994B9DBBB2BF89304F2081A9D809AB365DB349E85CF50

Function 06AEE4B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf26ba15c2667acaa6ec9b84a8c3c317f0bffb445be67da8eeea5844d13a641
Instruction ID: 42dc8e48dc730cd1a83ac6654c991888305f306ef793cbf949a884d431558d57
Opcode Fuzzy Hash: 3cf26ba15c2667acaa6ec9b84a8c3c317f0bffb445be67da8eeea5844d13a641
Instruction Fuzzy Hash: D5C1D374E00218CFDB54EFA5D994B9DBBB2BF88304F2081A9D409AB365DB359E85CF50

Function 06AEB4E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef416b78ee18778583d7a89f0a65a538576c91eb8a81803a1d89661bc7b48d19
Instruction ID: 85af70d76b82d71fcd77c8a13b73bfc5c5feb2da0165677e0f207ad3a18d1a94
Opcode Fuzzy Hash: ef416b78ee18778583d7a89f0a65a538576c91eb8a81803a1d89661bc7b48d19
Instruction Fuzzy Hash: BEC1D274E00218CFDB54EFA5D994B9DBBB2BF89304F2081A9D409AB365DB349E85CF50

Function 06AECEF8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829bde1f24d56a34bd01beab64db20f37a7d40697a38841509d08368e14efeb5
Instruction ID: b24ec7c77bfef2513255b2f4b5e77661a34f89a69482685d4befd4f0825fe82c
Opcode Fuzzy Hash: 829bde1f24d56a34bd01beab64db20f37a7d40697a38841509d08368e14efeb5
Instruction Fuzzy Hash: 34C1D474E00218CFDB54EFA5D954B9DBBB2BF89304F2081A9D409AB365DB349E85CF50

Function 06AEDC00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d38529f90ba68d7b2ec36203d4afe976cd1339a75979b97ae5c26d39be132a2
Instruction ID: 315e36ffbb065363ef71dd679b4363c77439bdefbcc43bd54951b129d2f4e136
Opcode Fuzzy Hash: 6d38529f90ba68d7b2ec36203d4afe976cd1339a75979b97ae5c26d39be132a2
Instruction Fuzzy Hash: F1C1E374E00218CFDB54EFA5D984B9DBBB2BF89304F2081A9D809AB355DB349E85CF50

Function 06AEF610 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e2adfd30abc9f3b74a90f90c0201d0f57a2f3044e5c800e5a4d9feff32f2d2
Instruction ID: 69afd351ee892790800e4783fc89514ae46618bab582ee1a4d8a5fb4bacd6778
Opcode Fuzzy Hash: 39e2adfd30abc9f3b74a90f90c0201d0f57a2f3044e5c800e5a4d9feff32f2d2
Instruction Fuzzy Hash: E0C1B174E00218CFDB54EFA5D954B9DBBB2BF88304F2081A9D809AB365DB359E85CF50

Function 06AEFA68 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cae5795f9945159a563874f5401eca4b3ff8e31b8d56d030059f27895e1e8f1
Instruction ID: 65e76b61fe96e52be299220e65e75b3f0b9f7df69494178da38f0905f262db9a
Opcode Fuzzy Hash: 4cae5795f9945159a563874f5401eca4b3ff8e31b8d56d030059f27895e1e8f1
Instruction Fuzzy Hash: D0C1C274E00218CFDB54EFA5D954B9DBBB2BF89304F2081A9D409AB355DB349E85CF50

Function 06AEC648 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa455b990db6b9450284ec9794ea680d2a3639a59cd74814afda58673ca208b
Instruction ID: f2ff7a98e8ca1f57d475e344e04f19c1c3f0a35cb7d6a71e2f2c125eb7a24726
Opcode Fuzzy Hash: 5aa455b990db6b9450284ec9794ea680d2a3639a59cd74814afda58673ca208b
Instruction Fuzzy Hash: 53C1E374E00218CFDB54EFA5C984B9DBBB2BF88304F2081A9D419AB355DB349E85CF50

Function 06AED7A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cdbfe67c6a2697ff77d2752b9e463bdb373fbafcf3e5535b95ff5a1244e7c1a
Instruction ID: 55b4c1944fd82bf450f04a8875d124425fe9dc3cc36ecd1af5f1b906fd72403c
Opcode Fuzzy Hash: 6cdbfe67c6a2697ff77d2752b9e463bdb373fbafcf3e5535b95ff5a1244e7c1a
Instruction Fuzzy Hash: 17C1E474E00218CFDB54EFA5D944B9DBBB2BF88304F2081A9D809AB355DB349E85CF50

Function 06AEF1B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17c808aaa893d0dce4c0f47a04461a481ed399a2e7ccfe352d3b8727a88d9e4
Instruction ID: 9a60a8d20349f2317ec9324b54bdca27f1cc9c75da97d0964a9587d489cf1157
Opcode Fuzzy Hash: a17c808aaa893d0dce4c0f47a04461a481ed399a2e7ccfe352d3b8727a88d9e4
Instruction Fuzzy Hash: E6C1C074E00218CFDB54EFA5D984B9DBBB2BF89304F2081A9D809AB355DB359E85CF50

Function 06AEBD98 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64726b2b44900624eceb80eae6aafb31def6afc3688372a74cc006e79faebf3f
Instruction ID: c143821d936209d3762f64a43488051a22d45ac410085f275ff19fe5b36a84f9
Opcode Fuzzy Hash: 64726b2b44900624eceb80eae6aafb31def6afc3688372a74cc006e79faebf3f
Instruction Fuzzy Hash: 9CC1D374E00218CFDB54EFA5D984B9DBBB2BF89304F2081A9D419AB365DB349E85CF50

Function 06AEC1F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf7bb7a8a98acf09fb16fc1c50fb8c8a94666ee8e1239f72c0cccfe621932f6
Instruction ID: 1e71688410cf3f4319f00a8a8fa9cbfbadbb3fc9499a1c658ca68ef2ba27670d
Opcode Fuzzy Hash: 3bf7bb7a8a98acf09fb16fc1c50fb8c8a94666ee8e1239f72c0cccfe621932f6
Instruction Fuzzy Hash: 30C1E374E00218CFDB54EFA5D984B9DBBB2BF89304F2081A9D819AB355DB349E85CF50

Function 06AEE908 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bebec621eae94891e8661ec082778fd3b4b65e8d8e04b80874737be784ffa63f
Instruction ID: 10b73e5e834e54eb45ba0acebb0c45bb267d36c904095033a21590bda13ba27b
Opcode Fuzzy Hash: bebec621eae94891e8661ec082778fd3b4b65e8d8e04b80874737be784ffa63f
Instruction Fuzzy Hash: FCC1D374E00218CFDB54EFA5D984B9DBBB2BF89304F2081A9D809AB355DB349E85CF50

Function 06AE0900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640f61fcd3b4b1ad9a1386be3b9fd6d08d0c4f5d2665b3f850734646ace1308b
Instruction ID: 54961843afb91a4c3a796e030432c5bffe4f019be49360bd915386a75734b1d7
Opcode Fuzzy Hash: 640f61fcd3b4b1ad9a1386be3b9fd6d08d0c4f5d2665b3f850734646ace1308b
Instruction Fuzzy Hash: C8C1D274E00218CFDB54DFA5D994B9DBBB2BF89304F2081A9D809AB355DB34AE85CF50

Function 06AE0D60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51699a15733383b34a6f2f3d5e7ad5ee9e67382d2e57d47370160e05b6134ee
Instruction ID: 1ee39ad479f5fecf9989b697c55b0f1b2da4b2e855ff19edbb4a3adf52ae8da0
Opcode Fuzzy Hash: f51699a15733383b34a6f2f3d5e7ad5ee9e67382d2e57d47370160e05b6134ee
Instruction Fuzzy Hash: C8C1D274E00228CFDB54DFA5D944B9DBBB2BF89304F2081A9D809AB365DB359E85CF50

Function 06AEED60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0081d8ea8f74510bf0c8520b7fce1ed218c41122f78db8643a4356f8a8a9a0b5
Instruction ID: f297dc2b008afe87c4469a19ea8eca2334918ff69b000002bc45049d2dc7054b
Opcode Fuzzy Hash: 0081d8ea8f74510bf0c8520b7fce1ed218c41122f78db8643a4356f8a8a9a0b5
Instruction Fuzzy Hash: ADC1C274E00218CFDB54EFA5D954B9DBBB2BF89304F2081A9D409AB355DB349E85CF50

Function 06AEB940 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb00dd125b998cb4bdd2ef60437e067c5b9533488ee03b907227944536d5baf
Instruction ID: 0cfa35fefa60b9f40a810941773335d00bdf229849cd4c983005ed859bd23e00
Opcode Fuzzy Hash: eeb00dd125b998cb4bdd2ef60437e067c5b9533488ee03b907227944536d5baf
Instruction Fuzzy Hash: E3C1C474E00218CFDB54EFA5D994B9DBBB2BF88304F2081A9D409AB355DB359E85CF50

Function 06AED350 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502668226.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ae0000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47688c2291dc1f11dad6d3e20f61926d51c92cdbf3ab593c2a3fef86685103b4
Instruction ID: 412f0853cf16571b91b873c7c87aaf02d862786c5d8149545babe0892af97033
Opcode Fuzzy Hash: 47688c2291dc1f11dad6d3e20f61926d51c92cdbf3ab593c2a3fef86685103b4
Instruction Fuzzy Hash: C8C1E274E00218CFDB54EFA5D994B9DBBB2BF88304F2081A9D409AB365DB349E85CF50

Function 06B15EC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9797458e227ade8c42ea4869088f52ca03d5faf72c8f5014fa063cac64f24b
Instruction ID: 17a076c068ea06c55bb68904c0e70822adb4fdc8acbe3aa08bfde44d4169468e
Opcode Fuzzy Hash: 7b9797458e227ade8c42ea4869088f52ca03d5faf72c8f5014fa063cac64f24b
Instruction Fuzzy Hash: 81C1C274E00218CFDB54EFA5D984B9DBBB2BF89304F2081A9D809AB355DB359E85CF50

Function 06B15618 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e03cd62740ad086d486ff2b0801b60da8d95495ca8c7537eff0eb2a99d66aa
Instruction ID: c66d564d5bf9a3371a0a33462f33daf155345c6bcfacb8d806f239e0316ecb33
Opcode Fuzzy Hash: 07e03cd62740ad086d486ff2b0801b60da8d95495ca8c7537eff0eb2a99d66aa
Instruction Fuzzy Hash: 38C1D3B4E00218CFDB54EFA5D994B9DBBB2BF88304F1081A9D409AB355DB349E85CF50

Function 06B15A70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e4a68ce97fac6a42329287300c5d1cd0f7bf386c4ac44e23c84baf298b4ce5
Instruction ID: 4b7feb6e4bb66e8f209e17459ec5932b46999763095ed3a0a17f419a99161921
Opcode Fuzzy Hash: 37e4a68ce97fac6a42329287300c5d1cd0f7bf386c4ac44e23c84baf298b4ce5
Instruction Fuzzy Hash: 8FC1C3B4E00218CFDB54EFA5D984B9DBBB2BF89304F2081A9D409AB355DB359E85CF50

Function 06B16BD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 409d7ca3d99234ce40677907b39e7222cd7ed32a32e9ef472f70678ecb07dd61
Instruction ID: 057d9ac8172e0fa93157397d2eb1499dd2351c82510dc3ea8fc5d41906feb53c
Opcode Fuzzy Hash: 409d7ca3d99234ce40677907b39e7222cd7ed32a32e9ef472f70678ecb07dd61
Instruction Fuzzy Hash: B0C1C274E00218CFDB54EFA5D984B9DBBB2BF88304F2081A9D419AB365DB359E85CF50

Function 06B16320 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fd796b2361e6e1bd9b82af1b3e4dbe93b3ebcdc7ab54181b4c2b64fed552ce1
Instruction ID: a3096989fd16748233bb7d17b1f9e86bf33ae9e12855f7bf05baafac5321b1d1
Opcode Fuzzy Hash: 0fd796b2361e6e1bd9b82af1b3e4dbe93b3ebcdc7ab54181b4c2b64fed552ce1
Instruction Fuzzy Hash: F4C1D274E00218CFDB54EFA5D994B9DBBB2BF88304F2081A9D809AB355DB349E85CF50

Function 06B16778 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2d1b3d7244e5e3fdf440b7470bce10582fba5a23ceaa46edf09fdb376b5505
Instruction ID: e80675af7a267cd8315ad17aa30fd7b6ea9f4d80167f8fc0d18eb5b7889dbfd6
Opcode Fuzzy Hash: da2d1b3d7244e5e3fdf440b7470bce10582fba5a23ceaa46edf09fdb376b5505
Instruction Fuzzy Hash: 68C1D374E00218CFDB54EFA5D954B9DBBB2BF89304F2081A9D809AB355DB349E85CF50

Function 06B174A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b02148c9caec54d1ee4d09384e91b2177deb53bd9c8322ca4694b5211f8c7c8
Instruction ID: 524a58933428e4e26eae9ad618d1d69355e631989d7e980e38ac59b7917c70ad
Opcode Fuzzy Hash: 7b02148c9caec54d1ee4d09384e91b2177deb53bd9c8322ca4694b5211f8c7c8
Instruction Fuzzy Hash: E6C1C174E00218CFDB54EFA5D994B9DBBB2BF89304F2081A9D809AB355DB349E85CF50

Function 06B10498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 644b7b731e74078c3e36ac69e06ce6f2649ae97642d1ecb572d33c6176d9512d
Instruction ID: 52bd9d453345b6e07855670ecb78c46e2278f8f84aeb3901180bac73789d6b9c
Opcode Fuzzy Hash: 644b7b731e74078c3e36ac69e06ce6f2649ae97642d1ecb572d33c6176d9512d
Instruction Fuzzy Hash: F1C1C174E00218CFDB54EFA5D984B9DBBB2BF88304F2081A9D409AB365DB359E85CF50

Function 06B108F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46d4dc3939482396853cd1f09c9c9c2ecc453cf189572fe436031f89c217334
Instruction ID: 5feb4f106f540e60b31853a3d3d28efe58208cf65e264dcb2d2fec1f8be226d2
Opcode Fuzzy Hash: a46d4dc3939482396853cd1f09c9c9c2ecc453cf189572fe436031f89c217334
Instruction Fuzzy Hash: 88C1C174E00218CFDB54EFA5D994B9DBBB2BF88304F2081A9D809AB355DB349E85CF50

Function 06B17050 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d3506d20128f8a166b39bc2b2047d2c12e3488ae6a823e7fc72c84d541f400
Instruction ID: d23df4284f8d97bba289ec3eafe3f795239437deb8e622223b35ed6d8f73db66
Opcode Fuzzy Hash: 79d3506d20128f8a166b39bc2b2047d2c12e3488ae6a823e7fc72c84d541f400
Instruction Fuzzy Hash: 67C1E374E00228CFDB54EFA5D994B9DBBB2BF89304F2081A9D409AB355DB349E85CF50

Function 06B10040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a61268f4e2701a461755d9dda80053ac0582aa2dafd2b2b299c0d7b1c26a9b58
Instruction ID: 4d32ed26c72b2fb8e8e2280ef71c8c49de8df10153ad54c658904729f82cfa31
Opcode Fuzzy Hash: a61268f4e2701a461755d9dda80053ac0582aa2dafd2b2b299c0d7b1c26a9b58
Instruction Fuzzy Hash: A3C1C274E00218CFDB54EFA5D994B9DBBB2BF89304F2081A9D809AB355DB349E85CF50

Function 06B181B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cdd43b7a31badf81cf5a7a95382e69b85730c9722ce4c23b30f0e45b00d9d9e
Instruction ID: 450743e87755e332636ff2926616be3a89392a6cfe1923aa372ef8737951efcb
Opcode Fuzzy Hash: 3cdd43b7a31badf81cf5a7a95382e69b85730c9722ce4c23b30f0e45b00d9d9e
Instruction Fuzzy Hash: 27C1C274E00218CFDB54EFA5D944B9DBBB2BF89304F1081A9D809AB355DB349E85CF50

Function 06B15198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66950b4a034a7e5f4621aa5e034f616aeddd4f5f0b44cc319e23a03433fc431e
Instruction ID: b4f1bb5e4420d4c1e68ad011a5673f81cbc571722855939ef620883ab207d3e1
Opcode Fuzzy Hash: 66950b4a034a7e5f4621aa5e034f616aeddd4f5f0b44cc319e23a03433fc431e
Instruction Fuzzy Hash: FFC1D3B4E00218CFDB54EFA5D984B9DBBB2BF89304F2081A9D409AB355DB349D85CF50

Function 06B17900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1fe2133ca948d94c6b8e4c34edd783b19609eee2468c05b79956acbca176535
Instruction ID: 67ef6cd5c68af91b16f0ccfb5d77d62b3ba0f098fdd5a5a0a23cdd18111448e6
Opcode Fuzzy Hash: f1fe2133ca948d94c6b8e4c34edd783b19609eee2468c05b79956acbca176535
Instruction Fuzzy Hash: BDC1C274E00218CFDB54EFA5D994B9DBBB2BF88304F2081A9D809AB355DB359E85CF50

Function 06B17D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c37cc450256e2295daa0cde660f10e9e8ba35a2769bd9e0e9409dd7ba28e066d
Instruction ID: a106643aea44c83d3b3a939d5cc48d9d3ce721f2e94a3c0f1bbd63dc2ea87ffa
Opcode Fuzzy Hash: c37cc450256e2295daa0cde660f10e9e8ba35a2769bd9e0e9409dd7ba28e066d
Instruction Fuzzy Hash: A8C1D274E00218CFDB54EFA5D944B9DBBB2BF89304F2081A9D819AB355DB349E85CF50

Function 06B10D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c011b9d4b3092f7c2f25d5c893d6033f212f2c881f384118fb4c4bf881e866c2
Instruction ID: 679937951284af3fbcadf0ac6545d2c42aad8471ab40d0f59e0a9feb05d6cd03
Opcode Fuzzy Hash: c011b9d4b3092f7c2f25d5c893d6033f212f2c881f384118fb4c4bf881e866c2
Instruction Fuzzy Hash: 03C1D274E00218CFDB54EFA5D994B9DBBB2BF89304F2081A9D809AB355DB349E85CF50

Function 06B136CE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4502806131.0000000006B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b10000_order6566546663.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3077b327e4cf057375fa2da3c15ee1d621c3abc4225124ebf963a1bcc1311626
Instruction ID: d07f7ee3749b787e590794d7a2a9ca2f7b94f64dd3834b0c2a7cd24e54b46a6f
Opcode Fuzzy Hash: 3077b327e4cf057375fa2da3c15ee1d621c3abc4225124ebf963a1bcc1311626
Instruction Fuzzy Hash: BBD05E34D0421CCACB20EF68D8503ADB372FF82304F0020E6C109B7250D7345E109F12

Function 02C86088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;]q, xrefs: 02C860BA
\;]q, xrefs: 02C86094
\;]q, xrefs: 02C860C6
\;]q, xrefs: 02C8609E

Memory Dump Source

Source File: 00000001.00000002.4500624953.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c80000_order6566546663.jbxd

Similarity

API ID:
String ID: \;]q$\;]q$\;]q$\;]q
API String ID: 0-2351511683
Opcode ID: 9237d034a0fe84a0a561356627b6bff1f87f0dc2c768be9fe2653311282438ed
Instruction ID: ca395a5b6c54f7b08db6c6cc6918ac990458da80e050fd034364aed6d79e0297
Opcode Fuzzy Hash: 9237d034a0fe84a0a561356627b6bff1f87f0dc2c768be9fe2653311282438ed
Instruction Fuzzy Hash: BB01BC317000148F8B24AE2DC580A2677EEAFC8AA9335817AE501CB3B4DB72DC41C7CC

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to lowest risk score due to lack of data" ] }
Date: unknown

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report order6566546663.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order6566546663.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
order6566546663.exe

Function 00E0AE48 Relevance: 1.9, Strings: 1, Instructions: 615
COMMON

Function 00E09F3C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Function 00E0AA20 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Function 00E09F60 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Function 00E0AB78 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Function 00E0A8F8 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Function 00E09F48 Relevance: 1.6, APIs: 1, Instructions: 91
threadCOMMON

Function 00E0AC98 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Function 00B9D4FC Relevance: .1, Instructions: 75
COMMON

Function 02C8B328 Relevance: 6.6, Strings: 5, Instructions: 357
COMMON

Function 02C8C470 Relevance: 6.4, Strings: 5, Instructions: 198
COMMON

Function 02C8BBD3 Relevance: 6.4, Strings: 5, Instructions: 195
COMMON

Function 02C8C751 Relevance: 6.4, Strings: 5, Instructions: 193
COMMON

Function 02C84AD9 Relevance: 6.4, Strings: 5, Instructions: 188
COMMON

Function 02C8C193 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Function 02C8CA31 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Function 02C8BEB7 Relevance: 6.4, Strings: 5, Instructions: 181
COMMON

Function 02C86730 Relevance: 5.5, Strings: 4, Instructions: 452
COMMON

Function 02C8B4F3 Relevance: 3.9, Strings: 3, Instructions: 154
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre