Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MV Nicos Tomasos Vessel Parts.exe

Overview

General Information

Sample name:MV Nicos Tomasos Vessel Parts.exe
Analysis ID:1592380
MD5:83050104bb90edac542d79e85804c457
SHA1:da8f36787211711c57a9d2cee3866f4cc8e77173
SHA256:4dcd586650a966fdcfd3259fbc5a7cc291bc6bfa86300975eba687dead7cdbf3
Tags:exeSnakeKeyloggeruser-threatcat_ch
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
AI detected suspicious sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • MV Nicos Tomasos Vessel Parts.exe (PID: 6784 cmdline: "C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe" MD5: 83050104BB90EDAC542D79E85804C457)
    • MV Nicos Tomasos Vessel Parts.exe (PID: 6848 cmdline: "C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe" MD5: 83050104BB90EDAC542D79E85804C457)
      • WerFault.exe (PID: 3260 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 1488 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "frankichong@yulifertilizer.com.my", "Password": "Ayfc931319*", "Host": "yulifertilizer.com.my", "Port": "25", "Version": "5.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1741630940.0000000004BC0000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
  • 0x4ae6b:$x1: In$J$ct0r
00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x1494c:$a1: get_encryptedPassword
      • 0x14c38:$a2: get_encryptedUsername
      • 0x14758:$a3: get_timePasswordChanged
      • 0x14853:$a4: get_passwordField
      • 0x14962:$a5: set_encryptedPassword
      • 0x15fc5:$a7: get_logins
      • 0x15f28:$a10: KeyLoggerEventArgs
      • 0x15b93:$a11: KeyLoggerEventArgsEventHandler
      00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x182e0:$x1: $%SMTPDV$
      • 0x18346:$x2: $#TheHashHere%&
      • 0x199af:$x3: %FTPDV$
      • 0x19aa3:$x4: $%TelegramDv$
      • 0x15b93:$x5: KeyLoggerEventArgs
      • 0x15f28:$x5: KeyLoggerEventArgs
      • 0x199d3:$m2: Clipboard Logs ID
      • 0x19bf3:$m2: Screenshot Logs ID
      • 0x19d03:$m2: keystroke Logs ID
      • 0x19fdd:$m3: SnakePW
      • 0x19bcb:$m4: \SnakeKeylogger\
      Click to see the 14 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x12d4c:$a1: get_encryptedPassword
          • 0x13038:$a2: get_encryptedUsername
          • 0x12b58:$a3: get_timePasswordChanged
          • 0x12c53:$a4: get_passwordField
          • 0x12d62:$a5: set_encryptedPassword
          • 0x143c5:$a7: get_logins
          • 0x14328:$a10: KeyLoggerEventArgs
          • 0x13f93:$a11: KeyLoggerEventArgsEventHandler
          0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
          • 0x1a7ad:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0x199df:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0x19e12:$a4: \Orbitum\User Data\Default\Login Data
          • 0x1ae51:$a5: \Kometa\User Data\Default\Login Data
          0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
          • 0x1391a:$s1: UnHook
          • 0x13921:$s2: SetHook
          • 0x13929:$s3: CallNextHook
          • 0x13936:$s4: _hook
          Click to see the 34 entries

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: MV Nicos Tomasos Vessel Parts.exeAvira: detected
          Found malware configuration
          Source: 00000001.00000002.1987166158.0000000003231000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "frankichong@yulifertilizer.com.my", "Password": "Ayfc931319*", "Host": "yulifertilizer.com.my", "Port": "25", "Version": "5.1"}
          Multi AV Scanner detection for submitted file
          Source: MV Nicos Tomasos Vessel Parts.exeVirustotal: Detection: 48%Perma Link
          Source: MV Nicos Tomasos Vessel Parts.exeReversingLabs: Detection: 39%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: MV Nicos Tomasos Vessel Parts.exeJoe Sandbox ML: detected
          Source: MV Nicos Tomasos Vessel Parts.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: MV Nicos Tomasos Vessel Parts.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1986157052.00000000014F6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: System.Core.pdbR source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1986157052.00000000014F6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: Microsoft.VisualBasic.pdb4v source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: System.Configuration.ni.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1986157052.00000000014F6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: System.Configuration.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: System.Xml.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: System.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.PDB source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1986157052.00000000014F6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: System.Core.ni.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: MV Nicos Tomasos Vessel Parts.exe, 00000000.00000002.1741031571.0000000002611000.00000004.00000800.00020000.00000000.sdmp, MV Nicos Tomasos Vessel Parts.exe, 00000000.00000002.1742548308.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: %%.pdb source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1986010731.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: System.Configuration.pdbx source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.PDB source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1986010731.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1986157052.00000000014F6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.pdbH source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: mscorlib.ni.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1986157052.00000000014F6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbU source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1986157052.00000000014F6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: System.ni.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WER4F42.tmp.dmp.4.dr

          Networking

          barindex
          Yara detected Generic Downloader
          Source: Yara matchFile source: 1.2.MV Nicos Tomasos Vessel Parts.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.raw.unpack, type: UNPACKEDPE
          Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
          Source: unknownDNS query: name: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
          Source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1987166158.00000000032F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
          Source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1987166158.0000000003231000.00000004.00000800.00020000.00000000.sdmp, MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1987166158.00000000032F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
          Source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1987166158.0000000003231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
          Source: MV Nicos Tomasos Vessel Parts.exe, 00000000.00000002.1741154645.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
          Source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1987166158.0000000003231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
          Source: MV Nicos Tomasos Vessel Parts.exe, 00000000.00000002.1741154645.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3663f90.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.4bc0000.5.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3663f90.4.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.4bc0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
          Source: 1.2.MV Nicos Tomasos Vessel Parts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 1.2.MV Nicos Tomasos Vessel Parts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 1.2.MV Nicos Tomasos Vessel Parts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
          Source: 1.2.MV Nicos Tomasos Vessel Parts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.2622038.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.261f7f8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
          Source: 00000000.00000002.1741630940.0000000004BC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects downloader injector Author: ditekSHen
          Source: 00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: 00000000.00000002.1741154645.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 00000000.00000002.1741154645.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: Process Memory Space: MV Nicos Tomasos Vessel Parts.exe PID: 6784, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: Process Memory Space: MV Nicos Tomasos Vessel Parts.exe PID: 6784, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: Process Memory Space: MV Nicos Tomasos Vessel Parts.exe PID: 6848, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: Process Memory Space: MV Nicos Tomasos Vessel Parts.exe PID: 6848, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeCode function: 0_2_00B7AE480_2_00B7AE48
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeCode function: 1_2_0179215C1_2_0179215C
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 1488
          Source: MV Nicos Tomasos Vessel Parts.exe, 00000000.00000002.1741031571.0000000002611000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs MV Nicos Tomasos Vessel Parts.exe
          Source: MV Nicos Tomasos Vessel Parts.exe, 00000000.00000002.1741031571.0000000002611000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs MV Nicos Tomasos Vessel Parts.exe
          Source: MV Nicos Tomasos Vessel Parts.exe, 00000000.00000000.1733573821.0000000000192000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBladeNoPa.exe4 vs MV Nicos Tomasos Vessel Parts.exe
          Source: MV Nicos Tomasos Vessel Parts.exe, 00000000.00000002.1741630940.0000000004BC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs MV Nicos Tomasos Vessel Parts.exe
          Source: MV Nicos Tomasos Vessel Parts.exe, 00000000.00000002.1742548308.0000000004CC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs MV Nicos Tomasos Vessel Parts.exe
          Source: MV Nicos Tomasos Vessel Parts.exe, 00000000.00000002.1739770016.00000000007FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs MV Nicos Tomasos Vessel Parts.exe
          Source: MV Nicos Tomasos Vessel Parts.exe, 00000000.00000002.1741154645.00000000036B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs MV Nicos Tomasos Vessel Parts.exe
          Source: MV Nicos Tomasos Vessel Parts.exe, 00000000.00000002.1741154645.0000000003615000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs MV Nicos Tomasos Vessel Parts.exe
          Source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs MV Nicos Tomasos Vessel Parts.exe
          Source: MV Nicos Tomasos Vessel Parts.exeBinary or memory string: OriginalFilenameBladeNoPa.exe4 vs MV Nicos Tomasos Vessel Parts.exe
          Source: MV Nicos Tomasos Vessel Parts.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3663f90.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.4bc0000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3663f90.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.4bc0000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
          Source: 1.2.MV Nicos Tomasos Vessel Parts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 1.2.MV Nicos Tomasos Vessel Parts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 1.2.MV Nicos Tomasos Vessel Parts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
          Source: 1.2.MV Nicos Tomasos Vessel Parts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.2622038.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
          Source: 0.2.MV Nicos Tomasos Vessel Parts.exe.261f7f8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
          Source: 00000000.00000002.1741630940.0000000004BC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
          Source: 00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: 00000000.00000002.1741154645.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 00000000.00000002.1741154645.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: Process Memory Space: MV Nicos Tomasos Vessel Parts.exe PID: 6784, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: Process Memory Space: MV Nicos Tomasos Vessel Parts.exe PID: 6784, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: Process Memory Space: MV Nicos Tomasos Vessel Parts.exe PID: 6848, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: Process Memory Space: MV Nicos Tomasos Vessel Parts.exe PID: 6848, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
          Source: classification engineClassification label: mal100.troj.evad.winEXE@4/6@1/1
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MV Nicos Tomasos Vessel Parts.exe.logJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeMutant created: NULL
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6848
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\99e33e8a-28c8-4b8f-92b9-1d1c3602e779Jump to behavior
          Source: MV Nicos Tomasos Vessel Parts.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: MV Nicos Tomasos Vessel Parts.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: MV Nicos Tomasos Vessel Parts.exeVirustotal: Detection: 48%
          Source: MV Nicos Tomasos Vessel Parts.exeReversingLabs: Detection: 39%
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeFile read: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe "C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe"
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess created: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe "C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe"
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 1488
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess created: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe "C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe"Jump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: MV Nicos Tomasos Vessel Parts.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: MV Nicos Tomasos Vessel Parts.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1986157052.00000000014F6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: System.Core.pdbR source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1986157052.00000000014F6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: Microsoft.VisualBasic.pdb4v source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: System.Configuration.ni.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1986157052.00000000014F6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: System.Configuration.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: System.Xml.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: System.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.PDB source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1986157052.00000000014F6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: System.Core.ni.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: MV Nicos Tomasos Vessel Parts.exe, 00000000.00000002.1741031571.0000000002611000.00000004.00000800.00020000.00000000.sdmp, MV Nicos Tomasos Vessel Parts.exe, 00000000.00000002.1742548308.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: %%.pdb source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1986010731.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: System.Configuration.pdbx source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.PDB source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1986010731.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1986157052.00000000014F6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.pdbH source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: mscorlib.ni.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1986157052.00000000014F6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbU source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1986157052.00000000014F6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: System.ni.pdb source: WER4F42.tmp.dmp.4.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WER4F42.tmp.dmp.4.dr
          Source: MV Nicos Tomasos Vessel Parts.exeStatic PE information: 0xDA00EF84 [Sun Nov 25 02:40:04 2085 UTC]
          Source: MV Nicos Tomasos Vessel Parts.exeStatic PE information: section name: .text entropy: 7.213209862456027
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: MV Nicos Tomasos Vessel Parts.exe PID: 6784, type: MEMORYSTR
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeMemory allocated: B70000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeMemory allocated: 2610000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeMemory allocated: 2520000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeMemory allocated: 1770000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeMemory allocated: 3230000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeMemory allocated: 5230000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe TID: 6836Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: Amcache.hve.4.drBinary or memory string: VMware
          Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
          Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
          Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
          Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
          Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
          Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1986157052.00000000014F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: Amcache.hve.4.drBinary or memory string: vmci.sys
          Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
          Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
          Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
          Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.4.drBinary or memory string: VMware20,1
          Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
          Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
          Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
          Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeMemory written: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeProcess created: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe "C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe"Jump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeQueries volume information: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeQueries volume information: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
          Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.MV Nicos Tomasos Vessel Parts.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1741154645.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1987166158.0000000003231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MV Nicos Tomasos Vessel Parts.exe PID: 6784, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: MV Nicos Tomasos Vessel Parts.exe PID: 6848, type: MEMORYSTR
          Source: Yara matchFile source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.MV Nicos Tomasos Vessel Parts.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1741154645.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MV Nicos Tomasos Vessel Parts.exe PID: 6784, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: MV Nicos Tomasos Vessel Parts.exe PID: 6848, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.MV Nicos Tomasos Vessel Parts.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MV Nicos Tomasos Vessel Parts.exe.36f81f0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MV Nicos Tomasos Vessel Parts.exe.3718e20.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1741154645.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1987166158.0000000003231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MV Nicos Tomasos Vessel Parts.exe PID: 6784, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: MV Nicos Tomasos Vessel Parts.exe PID: 6848, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		111
          Process Injection          		1
          Masquerading          		OS Credential Dumping21
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Disable or Modify Tools          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable Media1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
          Virtualization/Sandbox Evasion          		Security Account Manager41
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
          Process Injection          		NTDS1
          System Network Configuration Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Obfuscated Files or Information          		LSA Secrets12
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Software Packing          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Timestomp          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          MV Nicos Tomasos Vessel Parts.exe49%VirustotalBrowse
          MV Nicos Tomasos Vessel Parts.exe39%ReversingLabsByteCode-MSIL.Trojan.Zilla
          MV Nicos Tomasos Vessel Parts.exe100%AviraHEUR/AGEN.1311171
          MV Nicos Tomasos Vessel Parts.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          checkip.dyndns.com
          		193.122.6.168
          		truefalse
            		high
            checkip.dyndns.org
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://checkip.dyndns.org/false
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://upx.sf.netAmcache.hve.4.drfalse
                  		high
                  http://checkip.dyndns.orgMV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1987166158.0000000003231000.00000004.00000800.00020000.00000000.sdmp, MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1987166158.00000000032F4000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://checkip.dyndns.comMV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1987166158.00000000032F4000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1987166158.0000000003231000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://checkip.dyndns.org/qMV Nicos Tomasos Vessel Parts.exe, 00000000.00000002.1741154645.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          		high
                          https://reallyfreegeoip.org/xml/MV Nicos Tomasos Vessel Parts.exe, 00000000.00000002.1741154645.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, MV Nicos Tomasos Vessel Parts.exe, 00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            193.122.6.168
                            		checkip.dyndns.comUnited States
                            		31898ORACLE-BMC-31898USfalse

                            General Information

                            Joe Sandbox version:42.0.0 Malachite
                            Analysis ID:1592380
                            Start date and time:2025-01-16 02:34:07 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 4m 49s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:9
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:MV Nicos Tomasos Vessel Parts.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@4/6@1/1
                            EGA Information:
                            • Successful, ratio: 50%
                            HCA Information:
                            • Successful, ratio: 96%
                            • Number of executed functions: 22
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 20.42.65.92, 40.126.32.136, 52.149.20.212, 13.107.246.45
                            • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                            • Execution Graph export aborted for target MV Nicos Tomasos Vessel Parts.exe, PID 6848 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                            • Report size getting too big, too many NtSetInformationFile calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            20:35:29API Interceptor1x Sleep call for process: WerFault.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            193.122.6.168Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                            • checkip.dyndns.org/
                            Contrarre.exeGet hashmaliciousMassLogger RATBrowse
                            • checkip.dyndns.org/
                            Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • checkip.dyndns.org/
                            rDEKONT-1_15_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • checkip.dyndns.org/
                            mnXS9meqtB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                            • checkip.dyndns.org/
                            gGI2gVBI0f.exeGet hashmaliciousMassLogger RATBrowse
                            • checkip.dyndns.org/
                            ZpYFG94D4C.exeGet hashmaliciousSnake KeyloggerBrowse
                            • checkip.dyndns.org/
                            ZaRP7yvL1J.exeGet hashmaliciousMassLogger RATBrowse
                            • checkip.dyndns.org/
                            grrezORe7h.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                            • checkip.dyndns.org/
                            ty1nyFUMlo.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • checkip.dyndns.org/

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            checkip.dyndns.comorder6566546663.exeGet hashmaliciousSnake KeyloggerBrowse
                            • 132.226.247.73
                            Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                            • 193.122.6.168
                            BNXCXCJSD.jseGet hashmaliciousMassLogger RATBrowse
                            • 132.226.247.73
                            NEWORDER.exeGet hashmaliciousMassLogger RATBrowse
                            • 132.226.247.73
                            Invoice No 1122207 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 158.101.44.242
                            PDF6UU0CVUO2W-YGVUIO.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                            • 193.122.130.0
                            PO#_1100015533.scrGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                            • 193.122.130.0
                            1nl3hc.ps1Get hashmaliciousMassLogger RATBrowse
                            • 193.122.130.0
                            Contrarre.exeGet hashmaliciousMassLogger RATBrowse
                            • 193.122.6.168
                            Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 193.122.6.168

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            ORACLE-BMC-31898USOrder Details.exeGet hashmaliciousSnake KeyloggerBrowse
                            • 193.122.6.168
                            Execute.ps1Get hashmaliciousMetasploitBrowse
                            • 158.101.196.44
                            Invoice No 1122207 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 158.101.44.242
                            PDF6UU0CVUO2W-YGVUIO.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                            • 193.122.130.0
                            PO#_1100015533.scrGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                            • 193.122.130.0
                            1nl3hc.ps1Get hashmaliciousMassLogger RATBrowse
                            • 193.122.130.0
                            Contrarre.exeGet hashmaliciousMassLogger RATBrowse
                            • 193.122.6.168
                            Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 193.122.6.168
                            rDEKONT-1_15_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 193.122.6.168
                            RFQ_AS0101402025.22025_PDF.exeGet hashmaliciousMassLogger RATBrowse
                            • 158.101.44.242

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MV Nicos Tomasos_b692d4534bd2b1b9e5532da6cfaa5e4d81bb2595_a4498119_50bfddeb-fee5-46c2-9160-f42a9ccc2a6d\Report.wer

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.1019135460272063
                            Encrypted:false
                            SSDEEP:192:1QWDDX0T0BU/6aice36izuiF8Z24IO86:XDDX0ABU/6ajVizuiF8Y4IO86
                            MD5:BF914F790404609BC75BBEF757C19CF3
                            SHA1:350909885D61FADC11982FE97C9AEDE706F13E37
                            SHA-256:F876AC185527EADA699C9E95FDAFBC60D4598A4FB0A180117E18EDC1847BC8A6
                            SHA-512:90D149361882B35EBF3791F35B745C87C9DA7D62580BA76F3E010A77D2E8AC3518BF75943B2DAED4CEAECE6B0B17DC5269538C71DCA7525165AB0DE478B33FC7
                            Malicious:false
                            Reputation:low
                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.4.6.4.9.1.7.3.8.8.6.6.5.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.4.6.4.9.1.7.9.9.8.8.2.0.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.0.b.f.d.d.e.b.-.f.e.e.5.-.4.6.c.2.-.9.1.6.0.-.f.4.2.a.9.c.c.c.2.a.6.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.5.e.1.a.b.3.1.-.5.d.d.8.-.4.8.6.f.-.b.c.6.4.-.6.c.0.7.8.1.4.e.9.f.1.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.V. .N.i.c.o.s. .T.o.m.a.s.o.s. .V.e.s.s.e.l. .P.a.r.t.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.B.l.a.d.e.N.o.P.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.c.0.-.0.0.0.1.-.0.0.1.4.-.4.f.8.6.-.4.f.d.e.b.6.6.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.1.3.8.6.0.2.d.1.0.4.f.7.d.1.5.c.4.e.0.2.2.2.6.9.8.f.5.c.6.c.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.a.8.f.3.6.7.8.7.2.1.1.7.1.1.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F42.tmp.dmp

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:Mini DuMP crash report, 15 streams, Thu Jan 16 01:35:17 2025, 0x1205a4 type
                            Category:dropped
                            Size (bytes):263696
                            Entropy (8bit):3.7985620357010896
                            Encrypted:false
                            SSDEEP:3072:qnY2YS4uEqVLTgL0yJUDJQ4CGofzLW0f:qnjYS4MTgL0yJUDJ37ezX
                            MD5:88B78CD4CDAF17F990E4B9A6B2BC3E48
                            SHA1:705DBF13B8B76F4A1B6C536208EC6D366ED2A0DD
                            SHA-256:CD51FBAB1AE7D4C3CF58E5EFE11118C08D2391020FDBA414A58B4038D7682461
                            SHA-512:F314F3579A93D578C86C19AE6A9990674712DB464F2E602503FE5CD8746A99F779E0961EB2AB18694B11BFFE267EC778EA57FC31E49C3ACA5C1435217D5F04F8
                            Malicious:false
                            Reputation:low
                            Preview:MDMP..a..... .......Ub.g............D...............X.......<....#.......$..rS..........`.......8...........T............;..x...........,$...........&..............................................................................eJ.......&......GenuineIntel............T...........Hb.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER50BA.tmp.WERInternalMetadata.xml

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):6396
                            Entropy (8bit):3.7220556844265995
                            Encrypted:false
                            SSDEEP:96:RSIU6o7wVetb1EE6akYy/4xuQE/8085aM4UG89bYHsfz9om:R6l7wVeJeE6akYi400prG89bYHsfz9om
                            MD5:247F565ABC28EC458552C0EDA1C794F7
                            SHA1:801D0C02EA422254504E838A58FC634DCFBCAE76
                            SHA-256:FB1A8B701E47689DFFB70EADF97BE2CCEB534FDA2C41BAA1FF4F5B8E15012282
                            SHA-512:4E10CCB30FA81DBB41917958101B28338EAE781C0D50F4AB004794FC36225A9532733310997EC15E155E607F757410E7E1CF27371A9C7C8ABA468EC1F59E44C3
                            Malicious:false
                            Reputation:low
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.4.8.<./.P.i.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER50DA.tmp.xml

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4754
                            Entropy (8bit):4.502314883366749
                            Encrypted:false
                            SSDEEP:48:cvIwWl8zs/Jg77aI983WpW8VYdYm8M4JpjFio+q8E/GPr4d:uIjfhI7yG7VFJBGPr4d
                            MD5:166BDEA619C847554A127AC8212FFA2F
                            SHA1:7173082B66EDED1E03759270B28421FE8F7950AC
                            SHA-256:1C7014D58DB69D383244D657C01B28BF389B080D53764AF2F9B66BB2DCE33688
                            SHA-512:F0730E9FF345B250A0A96C11776184752EED2EC4B24F941148E75102916D490323DA4DB710931BC33ED0E05B7674DAEEBA0A0E471282B9F57B902974D730A3CA
                            Malicious:false
                            Reputation:low
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="677797" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MV Nicos Tomasos Vessel Parts.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):706
                            Entropy (8bit):5.349842958726647
                            Encrypted:false
                            SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M9XKbbDLI4MWuPJKAVKhat92n4M6:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84j
                            MD5:9BA266AD16952A9A57C3693E0BCFED48
                            SHA1:5DB70A3A7F1DB4E3879265AB336B2FA1AFBCECD5
                            SHA-256:A6DFD14E82D7D47195A1EC7F31E64C2820AB8721EF4B5825E21E742093B55C0E
                            SHA-512:678E1F639379FC24919B7CF562FA19CE53363CBD4B0EAB66486F6F8D5DD5958DE3AAE8D7842EE868EFCC39D907FDC1A3ACF464E29D37B0DAEE9874C39730FE8E
                            Malicious:true
                            Reputation:moderate, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                            C:\Windows\appcompat\Programs\Amcache.hve

                            Download File
                            Process:C:\Windows\SysWOW64\WerFault.exe
                            File Type:MS Windows registry file, NT/2000 or above
                            Category:dropped
                            Size (bytes):1835008
                            Entropy (8bit):4.4657343715061
                            Encrypted:false
                            SSDEEP:6144:iIXfpi67eLPU9skLmb0b4vWSPKaJG8nAgejZMMhA2gX4WABl0uNldwBCswSbP:HXD94vWlLZMM6YFH/+P
                            MD5:955243DF794CDA126ECBCBF52D971688
                            SHA1:3AD6E416923C4E592F27F08C23EBC3479F1F9F3F
                            SHA-256:975F0E42DB3A86B56D063E2FC5C26B47E3A727F2C9BC7FEFB16BC11BA153D2DA
                            SHA-512:AF9E1F0BF080E2BB03E14DF684BE6C7580274B39BC1EC74EE9650EA6419C35560A9438B86E8C099939731D7FEB60F034E50B95E4BFA99AA750EB0359BC4956AF
                            Malicious:false
                            Reputation:low
                            Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmRI..g..............................................................................................................................................................................................................................................................................................................................................B...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.202812833451401
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:MV Nicos Tomasos Vessel Parts.exe
                            File size:591'360 bytes
                            MD5:83050104bb90edac542d79e85804c457
                            SHA1:da8f36787211711c57a9d2cee3866f4cc8e77173
                            SHA256:4dcd586650a966fdcfd3259fbc5a7cc291bc6bfa86300975eba687dead7cdbf3
                            SHA512:e2faed6275bfaa0c2162b9284b7353f79206d8ecd1f3504dbdc1bb4099dba66b9df94aa718a52e41a99c05d1ee4581db9b19be934fae9d6e0e14bb03d5f8ed88
                            SSDEEP:12288:ZbRKjP7ne23gAcdtfD1hUK/IBW+hb9LinPXPgm:DKjP7e23gAcvfD1gW+Vy
                            TLSH:F2C4AE9C2B9889F5D87645B29CF2545E7B78B90221F0E46420CB0EDDADDAF43099837F
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. .......................`............@................................

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0x491bce
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0xDA00EF84 [Sun Nov 25 02:40:04 2085 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x91b800x4b.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x920000x5a6.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x940000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x8fbd40x8fc00d5b450dd42388d098060a0283aa62e99False0.5194769021739131data7.213209862456027IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0x920000x5a60x600c474081526abd64245cfd3ae4521545eFalse0.4173177083333333data4.084105898819439IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x940000xc0x20048598e14c8fb96c5183ccca32e3b49d0False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0x920a00x31cdata0.4296482412060301
                            RT_MANIFEST0x923bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 16, 2025 02:35:06.075459957 CET4973080192.168.2.4193.122.6.168
                            Jan 16, 2025 02:35:06.080446005 CET8049730193.122.6.168192.168.2.4
                            Jan 16, 2025 02:35:06.080526114 CET4973080192.168.2.4193.122.6.168
                            Jan 16, 2025 02:35:06.080735922 CET4973080192.168.2.4193.122.6.168
                            Jan 16, 2025 02:35:06.085617065 CET8049730193.122.6.168192.168.2.4
                            Jan 16, 2025 02:35:17.559510946 CET8049730193.122.6.168192.168.2.4
                            Jan 16, 2025 02:35:17.614835978 CET4973080192.168.2.4193.122.6.168
                            Jan 16, 2025 02:35:30.859482050 CET4973080192.168.2.4193.122.6.168

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 16, 2025 02:35:06.057296991 CET5082053192.168.2.41.1.1.1
                            Jan 16, 2025 02:35:06.064595938 CET53508201.1.1.1192.168.2.4

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Jan 16, 2025 02:35:06.057296991 CET192.168.2.41.1.1.10x3b1fStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jan 16, 2025 02:35:06.064595938 CET1.1.1.1192.168.2.40x3b1fNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                            Jan 16, 2025 02:35:06.064595938 CET1.1.1.1192.168.2.40x3b1fNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                            Jan 16, 2025 02:35:06.064595938 CET1.1.1.1192.168.2.40x3b1fNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                            Jan 16, 2025 02:35:06.064595938 CET1.1.1.1192.168.2.40x3b1fNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                            Jan 16, 2025 02:35:06.064595938 CET1.1.1.1192.168.2.40x3b1fNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                            Jan 16, 2025 02:35:06.064595938 CET1.1.1.1192.168.2.40x3b1fNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • checkip.dyndns.org

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.449730193.122.6.168806848C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe
                            TimestampBytes transferredDirectionData
                            Jan 16, 2025 02:35:06.080735922 CET151OUTGET / HTTP/1.1
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                            Host: checkip.dyndns.org
                            Connection: Keep-Alive
                            Jan 16, 2025 02:35:17.559510946 CET697INHTTP/1.1 504 Gateway Time-out
                            Date: Thu, 16 Jan 2025 01:35:17 GMT
                            Content-Type: text/html
                            Content-Length: 557
                            Connection: keep-alive
                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                            Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:20:35:04
                            Start date:15/01/2025
                            Path:C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe"
                            Imagebase:0x190000
                            File size:591'360 bytes
                            MD5 hash:83050104BB90EDAC542D79E85804C457
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.1741630940.0000000004BC0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1741154645.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1741154645.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1741154645.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1741154645.00000000036B6000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:20:35:04
                            Start date:15/01/2025
                            Path:C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\MV Nicos Tomasos Vessel Parts.exe"
                            Imagebase:0xeb0000
                            File size:591'360 bytes
                            MD5 hash:83050104BB90EDAC542D79E85804C457
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                            • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000002.1985907468.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.1987166158.0000000003231000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:4
                            Start time:20:35:17
                            Start date:15/01/2025
                            Path:C:\Windows\SysWOW64\WerFault.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 1488
                            Imagebase:0xff0000
                            File size:483'680 bytes
                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:5.7%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:76%
                              Total number of Nodes:25
                              Total number of Limit Nodes:1
                              execution_graph 11610 b7ad88 11611 b7ada2 11610->11611 11612 b7adf2 11611->11612 11614 b7ae48 11611->11614 11616 b7ae7b 11614->11616 11634 b79f3c 11616->11634 11617 b7b052 11618 b79f48 Wow64GetThreadContext 11617->11618 11619 b7b14c 11617->11619 11618->11619 11620 b79f60 ReadProcessMemory 11619->11620 11621 b7b22c 11620->11621 11629 b7ab78 VirtualAllocEx 11621->11629 11622 b7b349 11628 b7aa20 WriteProcessMemory 11622->11628 11623 b7b628 11631 b7aa20 WriteProcessMemory 11623->11631 11624 b7b42d 11624->11623 11630 b7aa20 WriteProcessMemory 11624->11630 11625 b7b666 11626 b7b74e 11625->11626 11632 b7a8f8 Wow64SetThreadContext 11625->11632 11633 b7ac98 ResumeThread 11626->11633 11627 b7b80b 11627->11611 11628->11624 11629->11622 11630->11624 11631->11625 11632->11626 11633->11627 11635 b7b978 CreateProcessW 11634->11635 11637 b7bb5e 11635->11637

                              Executed Functions

                              Function 00B7AE48 Relevance: 1.9, Strings: 1, Instructions: 615COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 111 b7ae48-b7ae79 112 b7ae80-b7b006 111->112 113 b7ae7b 111->113 120 b7b02d-b7b072 call b79f3c 112->120 121 b7b008-b7b02c 112->121 113->112 125 b7b074-b7b090 120->125 126 b7b09b-b7b105 120->126 121->120 125->126 132 b7b107 126->132 133 b7b10c-b7b138 126->133 132->133 135 b7b13a-b7b147 call b79f48 133->135 136 b7b199-b7b1cb call b79f54 133->136 139 b7b14c-b7b16c 135->139 143 b7b1f4 136->143 144 b7b1cd-b7b1e9 136->144 141 b7b195-b7b197 139->141 142 b7b16e-b7b18a 139->142 145 b7b1f5-b7b1ff 141->145 142->141 143->145 144->143 147 b7b206-b7b24c call b79f60 145->147 148 b7b201 145->148 154 b7b275-b7b28e 147->154 155 b7b24e-b7b26a 147->155 148->147 156 b7b2e6-b7b35e call b7ab78 154->156 157 b7b290-b7b2bc call b79f6c 154->157 155->154 168 b7b373-b7b375 156->168 169 b7b360-b7b371 156->169 162 b7b2e5 157->162 163 b7b2be-b7b2da 157->163 162->156 163->162 171 b7b37b-b7b38f 168->171 169->171 172 b7b391-b7b3cb 171->172 173 b7b3cc-b7b3e3 171->173 172->173 174 b7b3e5-b7b401 173->174 175 b7b40c-b7b44d call b7aa20 173->175 174->175 179 b7b476-b7b4ab 175->179 180 b7b44f-b7b46b 175->180 184 b7b603-b7b622 179->184 180->179 185 b7b4b0-b7b534 184->185 186 b7b628-b7b686 call b7aa20 184->186 195 b7b53a-b7b5ac call b7aa20 185->195 196 b7b5f8-b7b5fd 185->196 192 b7b6af-b7b6e2 186->192 193 b7b688-b7b6a4 186->193 199 b7b6e4-b7b6eb 192->199 200 b7b6ec-b7b6ff 192->200 193->192 210 b7b5ae-b7b5ce 195->210 196->184 199->200 201 b7b706-b7b731 200->201 202 b7b701 200->202 207 b7b733-b7b74c call b7a8f8 201->207 208 b7b79b-b7b7cd call b79f78 201->208 202->201 212 b7b74e-b7b76e 207->212 215 b7b7f6 208->215 216 b7b7cf-b7b7eb 208->216 213 b7b5f7 210->213 214 b7b5d0-b7b5ec 210->214 217 b7b797-b7b799 212->217 218 b7b770-b7b78c 212->218 213->196 214->213 219 b7b7f7-b7b809 call b7ac98 215->219 216->215 217->219 218->217 223 b7b80b-b7b82b 219->223 226 b7b854-b7b95d 223->226 227 b7b82d-b7b849 223->227 227->226
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1740712543.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b70000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID:
                              • String ID: (
                              • API String ID: 0-3887548279
                              • Opcode ID: 0f430d70bad3232d4bca9a3f0278b06d6187197a67649380d1f6b43648b30d21
                              • Instruction ID: 89c3963e81e45a535988c7dc92a5adcf2f5268964aca6ad30d1c225d71c80b59
                              • Opcode Fuzzy Hash: 0f430d70bad3232d4bca9a3f0278b06d6187197a67649380d1f6b43648b30d21
                              • Instruction Fuzzy Hash: 9E52C171E012288FDB68DF65C994BDDBBF2AF89300F1081EA940DAB295DB345E85CF45
                              Function 00B79F3C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 223processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 b79f3c-b7ba03 2 b7ba05-b7ba17 0->2 3 b7ba1a-b7ba28 0->3 2->3 4 b7ba3f-b7ba7b 3->4 5 b7ba2a-b7ba3c 3->5 6 b7ba8f-b7bb5c CreateProcessW 4->6 7 b7ba7d-b7ba8c 4->7 5->4 11 b7bb65-b7bc24 6->11 12 b7bb5e-b7bb64 6->12 7->6 22 b7bc26-b7bc4f 11->22 23 b7bc5a-b7bc65 11->23 12->11 22->23
                              APIs
                              • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00B7BB49
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1740712543.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b70000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID: Vu
                              • API String ID: 963392458-3388100648
                              • Opcode ID: 40b540c3b169a9ac76383f08207469bfef89c12f315ae846fdef2c5f4d6b0929
                              • Instruction ID: 5d7c95b41575d872fbf472711621d727cb29a04058ecd768c757d991803a7100
                              • Opcode Fuzzy Hash: 40b540c3b169a9ac76383f08207469bfef89c12f315ae846fdef2c5f4d6b0929
                              • Instruction Fuzzy Hash: 7581CFB4C002199FDB21DFA9C984BEDBBF5AB09300F1490EAE518B7220DB709A85CF54
                              Function 00B7AA20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 27 b7aa20-b7aa8b 29 b7aaa2-b7ab03 WriteProcessMemory 27->29 30 b7aa8d-b7aa9f 27->30 32 b7ab05-b7ab0b 29->32 33 b7ab0c-b7ab5e 29->33 30->29 32->33
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00B7AAF3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1740712543.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b70000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID: Vu
                              • API String ID: 3559483778-3388100648
                              • Opcode ID: 986c6e750810cdd8fce79a782045553ddcb80bcef2669c2a93d91316e9af5f83
                              • Instruction ID: c5bc108f1b0ee23e5d99e6fd8ce7619af8b3ec6b9004cef38e272e5e4edb2bad
                              • Opcode Fuzzy Hash: 986c6e750810cdd8fce79a782045553ddcb80bcef2669c2a93d91316e9af5f83
                              • Instruction Fuzzy Hash: 004189B5D012589FCF00CFA9D984ADEFBF1BB49310F24902AE819B7250D775AA45CF64
                              Function 00B79F60 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 38 b79f60-b7be65 ReadProcessMemory 40 b7be67-b7be6d 38->40 41 b7be6e-b7beac 38->41 40->41
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00B7BE55
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1740712543.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b70000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID: Vu
                              • API String ID: 1726664587-3388100648
                              • Opcode ID: 9a7c2e5968100a434246a1400594d91f7b4f6ee1e0b3bff934401bbc248fd23a
                              • Instruction ID: fae8c0e1773d722c1dfad33c7d1fa3ac9d666b5152564d40550a01ddbbf3ad5b
                              • Opcode Fuzzy Hash: 9a7c2e5968100a434246a1400594d91f7b4f6ee1e0b3bff934401bbc248fd23a
                              • Instruction Fuzzy Hash: D84166B9D042589FCF10CFAAD984ADEFBF1AB19310F10906AE928B7210D375A945CF65
                              Function 00B7AB78 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 44 b7ab78-b7ac32 VirtualAllocEx 47 b7ac34-b7ac3a 44->47 48 b7ac3b-b7ac85 44->48 47->48
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00B7AC22
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1740712543.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b70000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID: Vu
                              • API String ID: 4275171209-3388100648
                              • Opcode ID: 77006458bbad279c8c3ab02125f46ef14da29d02d97112653bb69b5fe6183295
                              • Instruction ID: 4e0446aa4cb9182ab501d8256b5b4c60351445cf161616daf0f5602fee2745d0
                              • Opcode Fuzzy Hash: 77006458bbad279c8c3ab02125f46ef14da29d02d97112653bb69b5fe6183295
                              • Instruction Fuzzy Hash: 283188B9D042589FCF10CFA9D980ADEFBB5FB49310F20942AE819B7210D735A945CF59
                              Function 00B7A8F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 53 b7a8f8-b7a958 55 b7a96f-b7a9b7 Wow64SetThreadContext 53->55 56 b7a95a-b7a96c 53->56 58 b7a9c0-b7aa0c 55->58 59 b7a9b9-b7a9bf 55->59 56->55 59->58
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,?), ref: 00B7A9A7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1740712543.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b70000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID: Vu
                              • API String ID: 983334009-3388100648
                              • Opcode ID: ed00d7b2b6c8b41ceac1947d128402af76b3d98701af836f80107fa89e4a8e7e
                              • Instruction ID: ff288e413af121b73d3267a53949382930b858a4d95a5048778e6bd95bc0f999
                              • Opcode Fuzzy Hash: ed00d7b2b6c8b41ceac1947d128402af76b3d98701af836f80107fa89e4a8e7e
                              • Instruction Fuzzy Hash: 1E31BCB5D012589FCB10DFAAD884AEEFBF1BF49310F24802AE419B7240D738A985CF54
                              Function 00B79F48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 64 b79f48-b7bcf4 66 b7bcf6-b7bd08 64->66 67 b7bd0b-b7bd52 Wow64GetThreadContext 64->67 66->67 68 b7bd54-b7bd5a 67->68 69 b7bd5b-b7bd93 67->69 68->69
                              APIs
                              • Wow64GetThreadContext.KERNEL32(?,?), ref: 00B7BD42
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1740712543.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b70000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID: Vu
                              • API String ID: 983334009-3388100648
                              • Opcode ID: 803168f2586dcad43b89ea25ced407b968cdacf78124eebadf3bd0b478c4c0d6
                              • Instruction ID: fecd28d36502e15929bd8dce3d2f7c84b7175f940517b3d8db187e55b97c7379
                              • Opcode Fuzzy Hash: 803168f2586dcad43b89ea25ced407b968cdacf78124eebadf3bd0b478c4c0d6
                              • Instruction Fuzzy Hash: 6C31ABB5D012589FCB10CFAAD584ADEFBF1FB09314F24806AE418B7210D374A945CF54
                              Function 00B7AC98 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 72 b7ac98-b7ad26 ResumeThread 75 b7ad2f-b7ad71 72->75 76 b7ad28-b7ad2e 72->76 76->75
                              APIs
                              • ResumeThread.KERNELBASE(?), ref: 00B7AD16
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1740712543.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b70000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID: Vu
                              • API String ID: 947044025-3388100648
                              • Opcode ID: 320f6042fb9c005c19a1fbb9d1e12471b28d6faac2a47e8ce56cce7df0170b04
                              • Instruction ID: aa8bcb41514641ccbd861295b1588c065d1a4e57b584bdc94988055981e7f37d
                              • Opcode Fuzzy Hash: 320f6042fb9c005c19a1fbb9d1e12471b28d6faac2a47e8ce56cce7df0170b04
                              • Instruction Fuzzy Hash: 6831C9B4D012189FCB10CFAAD880ADEFBF4EB49310F24842AE819B7210C735A941CF98
                              Function 00A0D4FC Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 313 a0d4fc-a0d50e 314 a0d5a2-a0d5a9 313->314 315 a0d514 313->315 316 a0d516-a0d522 314->316 315->316 317 a0d528-a0d54a 316->317 318 a0d5ae-a0d5b3 316->318 320 a0d5b8-a0d5cd 317->320 321 a0d54c-a0d56a 317->321 318->317 325 a0d584-a0d58c 320->325 323 a0d572-a0d582 321->323 323->325 326 a0d5da 323->326 327 a0d58e-a0d59f 325->327 328 a0d5cf-a0d5d8 325->328 328->327
                              Memory Dump Source
                              • Source File: 00000000.00000002.1740577718.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a0d000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e6f21b183a4663df4d167d9e9ac8e6845f0bf85dc23e21092deea7c76e847113
                              • Instruction ID: e41e83d7e7eaafaa9b24fd57e4e6329d57ad2725a0a1267337eb1ae8f3a9bdb6
                              • Opcode Fuzzy Hash: e6f21b183a4663df4d167d9e9ac8e6845f0bf85dc23e21092deea7c76e847113
                              • Instruction Fuzzy Hash: 60210672500208DFCB05DF54E9C0B26BF65FB98318F208569EC054A296C336E856C6A1
                              Function 00A0D4F7 Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1740577718.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a0d000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                              • Instruction ID: c12e98b5f2d29fd7d859f5b83a3a54b89b07c5c9f913d1325f59ecdbd1c312f0
                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                              • Instruction Fuzzy Hash: 7911D376504244CFCB16CF54D9C4B16BF72FB94328F24C5A9DC090B256C336E85ACBA1

                              Executed Functions

                              Function 0179215C Relevance: 5.8, Strings: 4, Instructions: 789COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1986737213.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_1790000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID:
                              • String ID: Xbq$Xbq$Xbq$Xbq
                              • API String ID: 0-2732225958
                              • Opcode ID: 7539ca671db8cd83ef143c351d6f8cb0f1a7625ef77f8c483497a1a6b61d0739
                              • Instruction ID: 2efb45675bf7d3484eec7a95b017936ebb621c9bd058f841904e421ecd0cdd87
                              • Opcode Fuzzy Hash: 7539ca671db8cd83ef143c351d6f8cb0f1a7625ef77f8c483497a1a6b61d0739
                              • Instruction Fuzzy Hash: EE42B377E88A915ECF23AE78E84C134FF327B5932472CC78DD444AB947D123A64E9641
                              Function 01793214 Relevance: 2.9, Strings: 2, Instructions: 440COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1986737213.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_1790000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID:
                              • String ID: Xbq$Xbq
                              • API String ID: 0-1243427068
                              • Opcode ID: 2429673f76aed0bfb492dc93f328bf31c08764aced301c65577eb5e2f9dcbcd1
                              • Instruction ID: 0c6048c2c70a073847a597396ee34cd642c6fa7823c57d31e55c9c389a120537
                              • Opcode Fuzzy Hash: 2429673f76aed0bfb492dc93f328bf31c08764aced301c65577eb5e2f9dcbcd1
                              • Instruction Fuzzy Hash: 05D1B267BC8A514ECF178DB9E99C034EE72775522432CC79DD048EBA4BD923F20E9242
                              Function 01790C8F Relevance: 1.7, Strings: 1, Instructions: 401COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1986737213.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_1790000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID:
                              • String ID: LR^q
                              • API String ID: 0-2625958711
                              • Opcode ID: 532c0ad9c2c10de80f6744c740e8f1d89f3fc63ee2818b8db92919da5facaef4
                              • Instruction ID: 366dde48ce5049fd9bb91b9e9b5c9e8f62ccdd031d31df7de87d90ebd594830e
                              • Opcode Fuzzy Hash: 532c0ad9c2c10de80f6744c740e8f1d89f3fc63ee2818b8db92919da5facaef4
                              • Instruction Fuzzy Hash: 5022C974A41219CFCB54DF68F988A9DBBB2FF88312F1081A5D809A7358DB346E85CF51
                              Function 01790CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.1986737213.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_1790000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID:
                              • String ID: LR^q
                              • API String ID: 0-2625958711
                              • Opcode ID: 85180603d295f7edd0b90db7f89229c682c0d6944cbffe9098fb0f43a95038ca
                              • Instruction ID: 36037d95c1f2ee250cc2f879293a95cd11c741dc2cb246837b629ee816a87f9b
                              • Opcode Fuzzy Hash: 85180603d295f7edd0b90db7f89229c682c0d6944cbffe9098fb0f43a95038ca
                              • Instruction Fuzzy Hash: C422B874A41219CFCB54DF68F988A9DBBB2FF88312F1081A5D809A7358DB346E85CF51
                              Function 017938F0 Relevance: .1, Instructions: 146COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1986737213.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_1790000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8cd8132e9f2f0ff4c97b95652a33d93aec98a257e73709f5eb26318e6cf3d8ed
                              • Instruction ID: 065f6837b82370822f1e8fad2bbc57a0c0af70e88889cdab23293e45e5a46aab
                              • Opcode Fuzzy Hash: 8cd8132e9f2f0ff4c97b95652a33d93aec98a257e73709f5eb26318e6cf3d8ed
                              • Instruction Fuzzy Hash: 8951C475E01209CFCB08DFA9E49499DBBB2FF89315B208069E405AB324DB35AD46CF51
                              Function 01792060 Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1986737213.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_1790000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a27db32cc591c252dfcd19343a28aaa9939f743e65abb9e73275c8045fdb4e68
                              • Instruction ID: aa206ab29b7026cbd669b71f72af32d8cf468888d135be94b552e02885f43044
                              • Opcode Fuzzy Hash: a27db32cc591c252dfcd19343a28aaa9939f743e65abb9e73275c8045fdb4e68
                              • Instruction Fuzzy Hash: 0B21B275A00105AFCF14EF38E4409AEB7B6EB99654B10C059E84A8B241DE39EE46CBD2
                              Function 0170D404 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1986522175.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_170d000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 90050eae9aad722f35bec79ff1ce0f690f7d474ed3499a37a39d465f34d96a31
                              • Instruction ID: 54559320258bd0c2d6bd72bf360508da77b41a388d6a9012821ddd5a7e052e34
                              • Opcode Fuzzy Hash: 90050eae9aad722f35bec79ff1ce0f690f7d474ed3499a37a39d465f34d96a31
                              • Instruction Fuzzy Hash: DC210371500340DFDB26DF98D9C0B66FFA5FB88324F21C1A9ED090B296C336E456C6A1
                              Function 0170D3FF Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1986522175.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_170d000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                              • Instruction ID: dd6202c4351146b416e192bf67136c025c9c1c1aac39d039ea403c242edd99ad
                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                              • Instruction Fuzzy Hash: A011CD72404380CFCB12CF84D5C4B56BFA1FB84224F24C1A9ED090A656C33AE45ACBA1
                              Function 01791F61 Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1986737213.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_1790000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 901b355e2e6ee11b19e3f71d684c91d6c99c67c212f77b746c7a9abe1e0e79ee
                              • Instruction ID: 7b3e2cce61643312137fb59c81fe31e5cb940992c4b96457adb38f05dcb79366
                              • Opcode Fuzzy Hash: 901b355e2e6ee11b19e3f71d684c91d6c99c67c212f77b746c7a9abe1e0e79ee
                              • Instruction Fuzzy Hash: 6621C2B4D0520A8FCB41EFA8D8455EEFFF1BF09310F10916AD805B3215EB345A49CBA1
                              Function 01791F08 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1986737213.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_1790000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 88ac961398620d12516527b0ef51ba50b2622cc497ebe586d66cabeb5e0899e0
                              • Instruction ID: d512bd3c3c45a6595c25c35a026500a5577f7db55ba8655c4892e1e2c45119d8
                              • Opcode Fuzzy Hash: 88ac961398620d12516527b0ef51ba50b2622cc497ebe586d66cabeb5e0899e0
                              • Instruction Fuzzy Hash: 092147B4D0560A8FCB11EFA8D4485EDFFF0BF4A310F1491AAD445B7268EB341A85CBA1
                              Function 01792010 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1986737213.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_1790000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 16c272ef12a82ad28f47e6f67d7b6bbf7fd2b118ebff48deba012e2457a2bc43
                              • Instruction ID: c532445fff96db4d3a9918e647579d8d136379deb5cb04703cbe59ce37e0a29a
                              • Opcode Fuzzy Hash: 16c272ef12a82ad28f47e6f67d7b6bbf7fd2b118ebff48deba012e2457a2bc43
                              • Instruction Fuzzy Hash: 80E022329203225FCB01AB60EC040EEBB30AE92320B15066BE4947B001DB30265ACB92
                              Function 01792020 Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.1986737213.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_1790000_MV Nicos Tomasos Vessel Parts.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fa3f319c06ec8d2f0db4d2bd2560c4099e6b4ae2f2941ad21b1f6b345460064b
                              • Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
                              • Opcode Fuzzy Hash: fa3f319c06ec8d2f0db4d2bd2560c4099e6b4ae2f2941ad21b1f6b345460064b
                              • Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2