Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
new shipment.exe

Overview

General Information

Sample name:new shipment.exe
Analysis ID:1520580
MD5:41e96a8eabf31d7b5abbeb15d5307b40
SHA1:0c406ef15662e8580a724ef05dfb04d76c222c9c
SHA256:d7ea65fb9c018f20cff23dc97bb8a9a6818e97c333a5485142f2e0210be204e1
Tags:exeSnakeKeyloggeruser-lowmal3
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Machine Learning detection for sample
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
May check the online IP address of the machine
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • new shipment.exe (PID: 5476 cmdline: "C:\Users\user\Desktop\new shipment.exe" MD5: 41E96A8EABF31D7B5ABBEB15D5307B40)
    • new shipment.exe (PID: 1464 cmdline: "C:\Users\user\Desktop\new shipment.exe" MD5: 41E96A8EABF31D7B5ABBEB15D5307B40)
      • WerFault.exe (PID: 3304 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 1528 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "6836590615:AAFwcOu-vD49QRMuWGekV93uJdtVWmZdWUw", "Chat id": "5007084465", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "6836590615:AAFwcOu-vD49QRMuWGekV93uJdtVWmZdWUw", "Chat_id": "5007084465", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2d142:$a1: get_encryptedPassword
        • 0x2d42b:$a2: get_encryptedUsername
        • 0x2cf60:$a3: get_timePasswordChanged
        • 0x2d05b:$a4: get_passwordField
        • 0x2d158:$a5: set_encryptedPassword
        • 0x2e785:$a7: get_logins
        • 0x2e6e8:$a10: KeyLoggerEventArgs
        • 0x2e34d:$a11: KeyLoggerEventArgsEventHandler
        00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Click to see the 12 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.new shipment.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            2.2.new shipment.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              2.2.new shipment.exe.400000.0.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                2.2.new shipment.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  2.2.new shipment.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0x2d342:$a1: get_encryptedPassword
                  • 0x2d62b:$a2: get_encryptedUsername
                  • 0x2d160:$a3: get_timePasswordChanged
                  • 0x2d25b:$a4: get_passwordField
                  • 0x2d358:$a5: set_encryptedPassword
                  • 0x2e985:$a7: get_logins
                  • 0x2e8e8:$a10: KeyLoggerEventArgs
                  • 0x2e54d:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 34 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://aborters.duckdns.org:8081URL Reputation: Label: malware
                  Source: http://anotherarmy.dns.army:8081URL Reputation: Label: malware
                  Found malware configuration
                  Source: 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "6836590615:AAFwcOu-vD49QRMuWGekV93uJdtVWmZdWUw", "Chat_id": "5007084465", "Version": "4.4"}
                  Source: 0.2.new shipment.exe.4250a40.4.raw.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "6836590615:AAFwcOu-vD49QRMuWGekV93uJdtVWmZdWUw", "Chat id": "5007084465", "Version": "4.4"}
                  Multi AV Scanner detection for submitted file
                  Source: new shipment.exeReversingLabs: Detection: 50%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                  Machine Learning detection for sample
                  Source: new shipment.exeJoe Sandbox ML: detected
                  Source: new shipment.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: \??\C:\Users\user\Desktop\new shipment.PDB source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: System.Configuration.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: System.Xml.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: System.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: System.pdbSystem.Core.ni.dll source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: System.Core.ni.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: new shipment.exe, 00000000.00000002.2602151937.0000000005BE0000.00000004.08000000.00040000.00000000.sdmp, new shipment.exe, 00000000.00000002.2598678318.0000000003134000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: %%.pdb source: new shipment.exe, 00000002.00000002.1448853295.00000000011F7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: mscorlib.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: C:\Users\user\Desktop\new shipment.PDB source: new shipment.exe, 00000002.00000002.1448853295.00000000011F7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: System.Xml.pdbL0Tw# source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb9\,( source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: System.ni.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: HPHo0C:\Windows\mscorlib.pdb source: new shipment.exe, 00000002.00000002.1448853295.00000000011F7000.00000004.00000010.00020000.00000000.sdmp

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.4119770.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPE
                  Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                  Source: new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                  Source: new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                  Source: new shipment.exe, 00000002.00000002.1450342369.00000000036D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: new shipment.exe, 00000002.00000002.1450342369.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1450342369.00000000036C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: new shipment.exe, 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: new shipment.exe, 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                  Source: new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                  Source: new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.new shipment.exe.4119770.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.new shipment.exe.4119770.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: new shipment.exe PID: 5476, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: new shipment.exe PID: 1464, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: C:\Users\user\Desktop\new shipment.exeCode function: 0_2_06498C800_2_06498C80
                  Source: C:\Users\user\Desktop\new shipment.exeCode function: 2_2_018939F02_2_018939F0
                  Source: C:\Users\user\Desktop\new shipment.exeCode function: 2_2_01893E092_2_01893E09
                  Source: C:\Users\user\Desktop\new shipment.exeCode function: 2_2_018929EC2_2_018929EC
                  Source: C:\Users\user\Desktop\new shipment.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 1528
                  Source: new shipment.exe, 00000000.00000002.2597016395.00000000012BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs new shipment.exe
                  Source: new shipment.exe, 00000000.00000002.2602151937.0000000005BE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs new shipment.exe
                  Source: new shipment.exe, 00000000.00000000.1334745220.0000000000D12000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePvI.exe( vs new shipment.exe
                  Source: new shipment.exe, 00000000.00000002.2600980391.00000000057A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs new shipment.exe
                  Source: new shipment.exe, 00000000.00000002.2598678318.0000000003134000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs new shipment.exe
                  Source: new shipment.exe, 00000000.00000002.2598678318.0000000003134000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs new shipment.exe
                  Source: new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs new shipment.exe
                  Source: new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs new shipment.exe
                  Source: new shipment.exe, 00000002.00000002.1448682843.0000000000444000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs new shipment.exe
                  Source: new shipment.exe, 00000002.00000002.1448957285.00000000014A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs new shipment.exe
                  Source: new shipment.exeBinary or memory string: OriginalFilenamePvI.exe( vs new shipment.exe
                  Source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.new shipment.exe.4119770.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.new shipment.exe.4119770.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: new shipment.exe PID: 5476, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: new shipment.exe PID: 1464, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.new shipment.exe.57a0000.5.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.new shipment.exe.4250a40.4.raw.unpack, mm-.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.new shipment.exe.4250a40.4.raw.unpack, mm-.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.new shipment.exe.4250a40.4.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.new shipment.exe.420e610.3.raw.unpack, mm-.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.new shipment.exe.420e610.3.raw.unpack, mm-.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.new shipment.exe.420e610.3.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.new shipment.exe.4119770.2.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.new shipment.exe.57a0000.5.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
                  Source: 0.2.new shipment.exe.4250a40.4.raw.unpack, -.csBase64 encoded string: 'Po2GZWUhvfUeLnbwmmtuvQoyc0qjrFr4WqeP3QHoVwXCKF0sCMsk3YCon1wvapzc'
                  Source: 0.2.new shipment.exe.420e610.3.raw.unpack, -.csBase64 encoded string: 'Po2GZWUhvfUeLnbwmmtuvQoyc0qjrFr4WqeP3QHoVwXCKF0sCMsk3YCon1wvapzc'
                  Source: 0.2.new shipment.exe.4119770.2.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@4/5@1/1
                  Source: C:\Users\user\Desktop\new shipment.exeMutant created: NULL
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1464
                  Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\00284efd-9f10-4bf1-82ef-f829a9110eaaJump to behavior
                  Source: new shipment.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: new shipment.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\new shipment.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: new shipment.exeReversingLabs: Detection: 50%
                  Source: C:\Users\user\Desktop\new shipment.exeFile read: C:\Users\user\Desktop\new shipment.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\new shipment.exe "C:\Users\user\Desktop\new shipment.exe"
                  Source: C:\Users\user\Desktop\new shipment.exeProcess created: C:\Users\user\Desktop\new shipment.exe "C:\Users\user\Desktop\new shipment.exe"
                  Source: C:\Users\user\Desktop\new shipment.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 1528
                  Source: C:\Users\user\Desktop\new shipment.exeProcess created: C:\Users\user\Desktop\new shipment.exe "C:\Users\user\Desktop\new shipment.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\new shipment.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: new shipment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: new shipment.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: \??\C:\Users\user\Desktop\new shipment.PDB source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: System.Configuration.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: System.Xml.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: System.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: System.pdbSystem.Core.ni.dll source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: System.Core.ni.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: new shipment.exe, 00000000.00000002.2602151937.0000000005BE0000.00000004.08000000.00040000.00000000.sdmp, new shipment.exe, 00000000.00000002.2598678318.0000000003134000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: %%.pdb source: new shipment.exe, 00000002.00000002.1448853295.00000000011F7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: mscorlib.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: C:\Users\user\Desktop\new shipment.PDB source: new shipment.exe, 00000002.00000002.1448853295.00000000011F7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: System.Xml.pdbL0Tw# source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb9\,( source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: System.ni.pdb source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WER92DB.tmp.dmp.6.dr
                  Source: Binary string: HPHo0C:\Windows\mscorlib.pdb source: new shipment.exe, 00000002.00000002.1448853295.00000000011F7000.00000004.00000010.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: new shipment.exe, ExportProvider.cs.Net Code: CreateExportFactory
                  Source: new shipment.exeStatic PE information: 0xEA086D61 [Thu Jun 3 16:27:13 2094 UTC]
                  Source: new shipment.exeStatic PE information: section name: .text entropy: 7.274277592919608
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeMemory allocated: 1630000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeMemory allocated: 30A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeMemory allocated: 50A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeMemory allocated: 1890000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeMemory allocated: 3610000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeMemory allocated: 1CA0000 memory reserve | memory write watchJump to behavior
                  Source: Amcache.hve.6.drBinary or memory string: VMware
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.6.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
                  Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: new shipment.exe, 00000002.00000002.1448957285.00000000014D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllgura
                  Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\Desktop\new shipment.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 0.2.new shipment.exe.5be0000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
                  Source: 0.2.new shipment.exe.5be0000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
                  Source: 0.2.new shipment.exe.5be0000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
                  Source: C:\Users\user\Desktop\new shipment.exeProcess created: C:\Users\user\Desktop\new shipment.exe "C:\Users\user\Desktop\new shipment.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeQueries volume information: C:\Users\user\Desktop\new shipment.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeQueries volume information: C:\Users\user\Desktop\new shipment.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\new shipment.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.4119770.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: new shipment.exe PID: 5476, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: new shipment.exe PID: 1464, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.4119770.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: new shipment.exe PID: 5476, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: new shipment.exe PID: 1464, type: MEMORYSTR
                  Source: Yara matchFile source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.4119770.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: new shipment.exe PID: 5476, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: new shipment.exe PID: 1464, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.4119770.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: new shipment.exe PID: 5476, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: new shipment.exe PID: 1464, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 2.2.new shipment.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.4250a40.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.420e610.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.4250a40.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.4119770.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.new shipment.exe.420e610.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: new shipment.exe PID: 5476, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: new shipment.exe PID: 1464, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		11
                  Process Injection                  		2
                  Virtualization/Sandbox Evasion                  		OS Credential Dumping21
                  Security Software Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		LSASS Memory2
                  Virtualization/Sandbox Evasion                  		Remote Desktop ProtocolData from Removable Media1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                  Process Injection                  		Security Account Manager1
                  Process Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Deobfuscate/Decode Files or Information                  		NTDS1
                  System Network Configuration Discovery                  		Distributed Component Object ModelInput Capture12
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                  Obfuscated Files or Information                  		LSA Secrets12
                  System Information Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                  Software Packing                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Timestomp                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  new shipment.exe50%ReversingLabsByteCode-MSIL.Infostealer.Tinba
                  new shipment.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://aborters.duckdns.org:8081100%URL Reputationmalware
                  http://upx.sf.net0%URL Reputationsafe
                  http://checkip.dyndns.org0%URL Reputationsafe
                  http://checkip.dyndns.org/0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://anotherarmy.dns.army:8081100%URL Reputationmalware
                  http://varders.kozow.com:80810%URL Reputationsafe
                  http://checkip.dyndns.org/q0%URL Reputationsafe
                  http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded0%URL Reputationsafe
                  https://reallyfreegeoip.org/xml/0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  checkip.dyndns.com
                  		132.226.8.169
                  		truefalse
                    		unknown
                    checkip.dyndns.org
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/false
                      • URL Reputation: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://aborters.duckdns.org:8081new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown
                      http://upx.sf.netAmcache.hve.6.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://checkip.dyndns.orgnew shipment.exe, 00000002.00000002.1450342369.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1450342369.00000000036C9000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://checkip.dyndns.comnew shipment.exe, 00000002.00000002.1450342369.00000000036D6000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://api.telegram.org/botnew shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namenew shipment.exe, 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://anotherarmy.dns.army:8081new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmptrue
                          • URL Reputation: malware
                          		unknown
                          http://varders.kozow.com:8081new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://checkip.dyndns.org/qnew shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodednew shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://reallyfreegeoip.org/xml/new shipment.exe, 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, new shipment.exe, 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          132.226.8.169
                          		checkip.dyndns.comUnited States
                          		16989UTMEMUSfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1520580
                          Start date and time:2024-09-27 16:00:10 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 43s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:12
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:new shipment.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@4/5@1/1
                          EGA Information:
                          • Successful, ratio: 50%
                          HCA Information:
                          • Successful, ratio: 97%
                          • Number of executed functions: 24
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 20.42.73.29
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target new shipment.exe, PID 1464 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • Report size getting too big, too many NtSetInformationFile calls found.
                          • VT rate limit hit for: new shipment.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          10:01:14API Interceptor1x Sleep call for process: WerFault.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          132.226.8.169update SOA.exeGet hashmaliciousSnake KeyloggerBrowse
                          • checkip.dyndns.org/
                          GfGxum1sf3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • checkip.dyndns.org/
                          GEsD6lobvy.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                          • checkip.dyndns.org/
                          Payment Advice.xlsGet hashmaliciousSnake KeyloggerBrowse
                          • checkip.dyndns.org/
                          #docs_8299010377388200191-pdf.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • checkip.dyndns.org/
                          REMITTANCE ADVICE.xlsGet hashmaliciousSnake KeyloggerBrowse
                          • checkip.dyndns.org/
                          VbcXXnmIwPPhh.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • checkip.dyndns.org/
                          SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • checkip.dyndns.org/
                          Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • checkip.dyndns.org/
                          Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • checkip.dyndns.org/

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          checkip.dyndns.comSecuriteInfo.com.Trojan.AutoIt.1503.25057.26595.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 193.122.130.0
                          update SOA.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 132.226.8.169
                          .05.2024.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 193.122.130.0
                          GfGxum1sf3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 132.226.8.169
                          GEsD6lobvy.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                          • 132.226.8.169
                          GfGxum1sf3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 158.101.44.242
                          1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 158.101.44.242
                          Payment Advice.xlsGet hashmaliciousSnake KeyloggerBrowse
                          • 132.226.247.73
                          Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 193.122.130.0
                          #docs_8299010377388200191-pdf.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 132.226.8.169

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          UTMEMUSupdate SOA.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 132.226.8.169
                          GfGxum1sf3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 132.226.8.169
                          GEsD6lobvy.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                          • 132.226.8.169
                          Payment Advice.xlsGet hashmaliciousSnake KeyloggerBrowse
                          • 132.226.247.73
                          #docs_8299010377388200191-pdf.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 132.226.8.169
                          QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 132.226.247.73
                          REMITTANCE ADVICE.xlsGet hashmaliciousSnake KeyloggerBrowse
                          • 132.226.247.73
                          VbcXXnmIwPPhh.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 132.226.8.169
                          nBank_Report.pif.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 132.226.247.73
                          SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 132.226.8.169

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_new shipment.exe_cf9e7cdece334ae16e292f86892c8231666c6d1_259f3213_27c3b52c-8e6f-4e02-87e9-458d211d40c1\Report.wer

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):1.0843703474055533
                          Encrypted:false
                          SSDEEP:192:mgLEcuuCv3UcgT0BU/HfSa6ce36izuiF8Z24IO82E:mc/wv3UcgABU/aarVizuiF8Y4IO8N
                          MD5:028D597EF713A8579B6453E87F54D6E9
                          SHA1:DB14A7F943D203FF56EE23CE38EC73889FAF2BB6
                          SHA-256:8838A82BF9A8ACD91E057EA5EAEA65625C8FAA6ADB79AE397FD86FC62A7BA557
                          SHA-512:F1F14FCEF208EC283E8161A472B7771AC2FCFD317F91CD6352A6A0FE454D50AB6184A12F113B0EBB62C1B8391DBC32FFF04F035AEE33F3BC28E6DFB92F496157
                          Malicious:true
                          Reputation:low
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.9.1.9.2.6.8.7.5.0.5.1.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.9.1.9.2.6.9.3.5.9.8.9.6.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.7.c.3.b.5.2.c.-.8.e.6.f.-.4.e.0.2.-.8.7.e.9.-.4.5.8.d.2.1.1.d.4.0.c.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.c.e.6.c.1.5.d.-.8.3.9.6.-.4.d.2.5.-.a.4.e.1.-.6.3.9.1.6.2.4.f.e.b.f.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.e.w. .s.h.i.p.m.e.n.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.v.I...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.b.8.-.0.0.0.1.-.0.0.1.4.-.a.c.5.5.-.e.2.b.0.e.5.1.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.e.f.d.9.6.8.8.c.3.6.5.7.8.3.e.7.8.c.c.b.5.6.4.0.4.4.9.5.8.1.9.0.0.0.0.0.0.0.0.!.0.0.0.0.0.c.4.0.6.e.f.1.5.6.6.2.e.8.5.8.0.a.7.2.4.e.f.0.5.d.f.b.0.4.d.7.6.c.2.2.2.c.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER92DB.tmp.dmp

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Mini DuMP crash report, 15 streams, Fri Sep 27 14:01:09 2024, 0x1205a4 type
                          Category:dropped
                          Size (bytes):268182
                          Entropy (8bit):3.772436485471649
                          Encrypted:false
                          SSDEEP:3072:cNCxiytMQ1YtS2HMjs4uEqKx16LTgOr1a0yB4D:cNCxiZEkMjs4jx2Tgua0yB4
                          MD5:6E34D7D6A69F796ADDB0FEE3B30AE135
                          SHA1:D6E53BE64A51C79C8C966D0BA25AB90CE6DF50A0
                          SHA-256:3B768256CE08010EFFACCD7910B398246E5EDBD9F3D2BDEC76DB81A101B8367D
                          SHA-512:912FA2F3EFA0A22A2EDFEE31A5BEF1E6264DBCD78DD417F809C779D2045EE3E893040B6A4F90B7CC5CF5E1A293C6CF36CBF59BCA80352EAD41FF1F31611F2CF1
                          Malicious:false
                          Reputation:low
                          Preview:MDMP..a..... ..........f............D...............X.......<....#.......%...S..........`.......8...........T............;..............,$...........&..............................................................................eJ.......&......GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9434.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8336
                          Entropy (8bit):3.6985867804742534
                          Encrypted:false
                          SSDEEP:192:R6l7wVeJy16j6Yl06djgmfp40dprt89bXTsfu9m:R6lXJQ6j6YW6Jgmfp40qX4fV
                          MD5:D1FF7415033550F3B6E5CD63B104C863
                          SHA1:B48EC142E68DC35F027F045066F044D19F174F66
                          SHA-256:3636A74B30360628142BFE7D1C760145FCB41472E673A22F2310EA2EF1E934B2
                          SHA-512:B06D3D97451B00421FA93BBB40274A49D4F0BE08803AD2E38CD0DBD7A0C53D14EFC48E51C6049163B581443EF426BE6CD65E8D67CF05D6B1C6FB2C5C957FC374
                          Malicious:false
                          Reputation:low
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.6.4.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9464.tmp.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4663
                          Entropy (8bit):4.4700798782418785
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zscJg77aI9ALWpW8VYjQTYm8M4JPjF/T+q8rwPIUkd:uIjfaI7267VCJFTjgUkd
                          MD5:E4D1A2DE5823EFFE467F1827142D4580
                          SHA1:CD0D96D9D7520DD31FC743EFD6E2C685B0FE26DE
                          SHA-256:1917E949ADBCD291721B4E7A6DCE99D85010652079628C21D64DE2646F468EEE
                          SHA-512:1D82CDC90933F89D5E047A249499F14214D0412CEAFC16B928F6E94063164A2AA4F6772C7F5D1FAEB0ED3B716CDA1E15C23C96ABB12B2D451BA26B9C077C7F11
                          Malicious:false
                          Reputation:low
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="518703" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\Windows\appcompat\Programs\Amcache.hve

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:MS Windows registry file, NT/2000 or above
                          Category:dropped
                          Size (bytes):1835008
                          Entropy (8bit):4.3941029139287515
                          Encrypted:false
                          SSDEEP:6144:Rl4fiJoH0ncNXiUjt10qHG/gaocYGBoaUMMhA2NX4WABlBuNAUOBSqa:H4vFHMYQUMM6VFYSUU
                          MD5:6583820EEBBDD3487F801682ADCC110F
                          SHA1:6A30CDCFAAF3BE368D7B3D80437D1269B6FE74C8
                          SHA-256:90ECB12764A60C5E8909CDFB6149FEB6412664A1C2D805C5B4555ECEA151332A
                          SHA-512:12983F1E096DE49EFDA4B430C8345686BEFEA068107F9E4D53A1C2508FB580F37E2B2D75D395497A0E86992C5A084A63C3295D4B022F819886A08BF83244289E
                          Malicious:false
                          Reputation:low
                          Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.W..................................................................................................................................................................................................................................................................................................................................................YM..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.267261742054411
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                          • Win32 Executable (generic) a (10002005/4) 49.75%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Windows Screen Saver (13104/52) 0.07%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          File name:new shipment.exe
                          File size:918'528 bytes
                          MD5:41e96a8eabf31d7b5abbeb15d5307b40
                          SHA1:0c406ef15662e8580a724ef05dfb04d76c222c9c
                          SHA256:d7ea65fb9c018f20cff23dc97bb8a9a6818e97c333a5485142f2e0210be204e1
                          SHA512:9912ba11bef1e1b084d88e852e538e054c61878300993a35de859d44c35600d262c43432a76ba72ec087258fcdd20624bdf9faf3f87c34e5dfe17b3d3c824ed4
                          SSDEEP:12288:uQTfJcX7m2QriOBq7bP7BqHwd//AulzaeNhmXGj4qTOU:+Xi2DgqBqQhAulzi1yOU
                          TLSH:D015BF0537FC022AE9FF4B78E4B12528CABAF845A51FF78D2485A1FD09B37559A50332
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...am............"...0.................. ... ....@.. .......................`............`................................

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x4e18ce
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0xEA086D61 [Thu Jun 3 16:27:13 2094 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xe18740x57.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xe20000x576.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xe40000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000xdf8d40xdfa00138ab11e6b6fea585a1b58b8ec615be7False0.5358953587898267data7.274277592919608IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0xe20000x5760x6006bdba2d938cec3a01da651a16db3d6cdFalse0.4088541666666667data3.994648161937343IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xe40000xc0x200394bd0892562eceabfcf66069ab94f81False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_VERSION0xe20a00x2ecdata0.43716577540106955
                          RT_MANIFEST0xe238c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Sep 27, 2024 16:01:05.212923050 CEST4970680192.168.2.9132.226.8.169
                          Sep 27, 2024 16:01:05.220846891 CEST8049706132.226.8.169192.168.2.9
                          Sep 27, 2024 16:01:05.220967054 CEST4970680192.168.2.9132.226.8.169
                          Sep 27, 2024 16:01:05.221200943 CEST4970680192.168.2.9132.226.8.169
                          Sep 27, 2024 16:01:05.227756023 CEST8049706132.226.8.169192.168.2.9
                          Sep 27, 2024 16:01:09.217171907 CEST8049706132.226.8.169192.168.2.9
                          Sep 27, 2024 16:01:09.266669035 CEST4970680192.168.2.9132.226.8.169
                          Sep 27, 2024 16:01:15.989561081 CEST4970680192.168.2.9132.226.8.169

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Sep 27, 2024 16:01:05.197922945 CEST5799453192.168.2.91.1.1.1
                          Sep 27, 2024 16:01:05.206494093 CEST53579941.1.1.1192.168.2.9

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Sep 27, 2024 16:01:05.197922945 CEST192.168.2.91.1.1.10xbac0Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Sep 27, 2024 16:01:05.206494093 CEST1.1.1.1192.168.2.90xbac0No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                          Sep 27, 2024 16:01:05.206494093 CEST1.1.1.1192.168.2.90xbac0No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                          Sep 27, 2024 16:01:05.206494093 CEST1.1.1.1192.168.2.90xbac0No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                          Sep 27, 2024 16:01:05.206494093 CEST1.1.1.1192.168.2.90xbac0No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                          Sep 27, 2024 16:01:05.206494093 CEST1.1.1.1192.168.2.90xbac0No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                          Sep 27, 2024 16:01:05.206494093 CEST1.1.1.1192.168.2.90xbac0No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • checkip.dyndns.org

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.949706132.226.8.169801464C:\Users\user\Desktop\new shipment.exe
                          TimestampBytes transferredDirectionData
                          Sep 27, 2024 16:01:05.221200943 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Sep 27, 2024 16:01:09.217171907 CEST697INHTTP/1.1 504 Gateway Time-out
                          Date: Fri, 27 Sep 2024 14:01:09 GMT
                          Content-Type: text/html
                          Content-Length: 557
                          Connection: keep-alive
                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                          Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:10:01:03
                          Start date:27/09/2024
                          Path:C:\Users\user\Desktop\new shipment.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\new shipment.exe"
                          Imagebase:0xd10000
                          File size:918'528 bytes
                          MD5 hash:41E96A8EABF31D7B5ABBEB15D5307B40
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2599288668.00000000040A1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:2
                          Start time:10:01:03
                          Start date:27/09/2024
                          Path:C:\Users\user\Desktop\new shipment.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\new shipment.exe"
                          Imagebase:0xf80000
                          File size:918'528 bytes
                          MD5 hash:41E96A8EABF31D7B5ABBEB15D5307B40
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.1448682843.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.1450342369.0000000003611000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:6
                          Start time:10:01:08
                          Start date:27/09/2024
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 1528
                          Imagebase:0x140000
                          File size:483'680 bytes
                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:6.8%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:7.7%
                            Total number of Nodes:52
                            Total number of Limit Nodes:5
                            execution_graph 22878 2f8e398 22879 2f8e3da 22878->22879 22880 2f8e3e0 GetModuleHandleW 22878->22880 22879->22880 22881 2f8e40d 22880->22881 22882 6498c80 22884 6498ce5 22882->22884 22883 6498d32 22884->22883 22885 6497030 PeekMessageW 22884->22885 22887 64988ac 22884->22887 22885->22884 22888 64999e8 DispatchMessageW 22887->22888 22889 6499a54 22888->22889 22889->22884 22890 6491080 22891 649109a 22890->22891 22892 64910ad 22890->22892 22896 6491148 22891->22896 22906 64910f7 22891->22906 22912 6491108 22891->22912 22897 6491113 22896->22897 22900 6491153 22896->22900 22898 649111e 22897->22898 22904 6491148 2 API calls 22897->22904 22917 6491158 22897->22917 22898->22892 22899 6491189 22899->22892 22900->22899 22924 6491478 22900->22924 22929 6491488 22900->22929 22901 64911ac 22904->22898 22907 64910fb 22906->22907 22909 64910bb 22906->22909 22908 649111e 22907->22908 22910 6491148 2 API calls 22907->22910 22911 6491158 2 API calls 22907->22911 22908->22892 22909->22892 22910->22908 22911->22908 22913 649111e 22912->22913 22914 6491117 22912->22914 22913->22892 22915 6491148 2 API calls 22914->22915 22916 6491158 2 API calls 22914->22916 22915->22913 22916->22913 22918 6491460 22917->22918 22919 6491180 22917->22919 22918->22898 22920 6491189 22919->22920 22922 6491478 2 API calls 22919->22922 22923 6491488 2 API calls 22919->22923 22920->22898 22921 64911ac 22922->22921 22923->22921 22925 6491443 22924->22925 22925->22924 22926 64914a3 22925->22926 22934 64914d0 22925->22934 22937 64914d8 OleInitialize 22925->22937 22926->22901 22930 6491493 22929->22930 22931 64914a3 22930->22931 22932 64914d8 OleInitialize 22930->22932 22933 64914d0 OleInitialize 22930->22933 22931->22901 22932->22931 22933->22931 22935 64914d8 OleInitialize 22934->22935 22936 6491533 22935->22936 22936->22926 22938 6491533 22937->22938 22938->22926

                            Executed Functions

                            Function 06498C80 Relevance: .4, Instructions: 396COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1455 6498c80-6498ce3 1456 6498d12-6498d30 1455->1456 1457 6498ce5-6498d0f 1455->1457 1462 6498d39-6498d70 1456->1462 1463 6498d32-6498d34 1456->1463 1457->1456 1467 64991a1 1462->1467 1468 6498d76-6498d8a 1462->1468 1465 64991f2-6499207 1463->1465 1471 64991a6-64991bc 1467->1471 1469 6498db9-6498dd8 1468->1469 1470 6498d8c-6498db6 1468->1470 1477 6498dda-6498de0 1469->1477 1478 6498df0-6498df2 1469->1478 1470->1469 1471->1465 1479 6498de2 1477->1479 1480 6498de4-6498de6 1477->1480 1481 6498e11-6498e1a 1478->1481 1482 6498df4-6498e0c 1478->1482 1479->1478 1480->1478 1484 6498e22-6498e29 1481->1484 1482->1471 1485 6498e2b-6498e31 1484->1485 1486 6498e33-6498e3a 1484->1486 1487 6498e47-6498e64 call 6497030 1485->1487 1488 6498e3c-6498e42 1486->1488 1489 6498e44 1486->1489 1492 6498fb9-6498fbd 1487->1492 1493 6498e6a-6498e71 1487->1493 1488->1487 1489->1487 1495 649918c-649919f 1492->1495 1496 6498fc3-6498fc7 1492->1496 1493->1467 1494 6498e77-6498eb4 1493->1494 1504 6498eba-6498ebf 1494->1504 1505 6499182-6499186 1494->1505 1495->1471 1497 6498fc9-6498fdc 1496->1497 1498 6498fe1-6498fea 1496->1498 1497->1471 1500 6499019-6499020 1498->1500 1501 6498fec-6499016 1498->1501 1502 64990bf-64990d4 1500->1502 1503 6499026-649902d 1500->1503 1501->1500 1502->1505 1516 64990da-64990dc 1502->1516 1506 649905c-649907e 1503->1506 1507 649902f-6499059 1503->1507 1508 6498ef1-6498f06 call 6498884 1504->1508 1509 6498ec1-6498ecf call 649886c 1504->1509 1505->1484 1505->1495 1506->1502 1543 6499080-649908a 1506->1543 1507->1506 1514 6498f0b-6498f0f 1508->1514 1509->1508 1524 6498ed1-6498eef call 6498878 1509->1524 1520 6498f11-6498f23 call 6498890 1514->1520 1521 6498f80-6498f8d 1514->1521 1522 6499129-6499146 call 6497030 1516->1522 1523 64990de-6499117 1516->1523 1547 6498f63-6498f7b 1520->1547 1548 6498f25-6498f55 1520->1548 1521->1505 1535 6498f93-6498f9d call 64988a0 1521->1535 1522->1505 1541 6499148-6499174 1522->1541 1538 6499119-649911f 1523->1538 1539 6499120-6499127 1523->1539 1524->1514 1552 6498fac-6498fb4 call 64988b8 1535->1552 1553 6498f9f-6498fa2 call 64988ac 1535->1553 1538->1539 1539->1505 1550 649917b 1541->1550 1551 6499176 1541->1551 1557 649908c-6499092 1543->1557 1558 64990a2-64990bd 1543->1558 1547->1471 1564 6498f5c 1548->1564 1565 6498f57 1548->1565 1550->1505 1551->1550 1552->1505 1560 6498fa7 1553->1560 1562 6499094 1557->1562 1563 6499096-6499098 1557->1563 1558->1502 1558->1543 1560->1505 1562->1558 1563->1558 1564->1547 1565->1564
                            Memory Dump Source
                            • Source File: 00000000.00000002.2602514948.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6490000_new shipment.jbxd
                            Similarity
                            • API ID: DispatchMessage
                            • String ID:
                            • API String ID: 2061451462-0
                            • Opcode ID: b4da462863d4447b34520f2f5843eea5b42cc739cfd11cf03cbd0fc4f70efb8e
                            • Instruction ID: b84550306c0af4f9602590b363904b3bff7771736abb49935a94e9c45e1d4533
                            • Opcode Fuzzy Hash: b4da462863d4447b34520f2f5843eea5b42cc739cfd11cf03cbd0fc4f70efb8e
                            • Instruction Fuzzy Hash: 27F15B30A40209CFEF55CFA9C848B9EBBF2BF89304F19855AE405AF355DB71A945CB90
                            Function 064988E9 Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 64988e9-64988ea 1 64988ec-6498903 0->1 2 64988b2-64988b3 0->2 3 64999e8-6499a52 DispatchMessageW 1->3 2->3 5 6499a5b-6499a6f 3->5 6 6499a54-6499a5a 3->6 6->5
                            APIs
                            • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,06498FA7), ref: 06499A45
                            Memory Dump Source
                            • Source File: 00000000.00000002.2602514948.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6490000_new shipment.jbxd
                            Similarity
                            • API ID: DispatchMessage
                            • String ID:
                            • API String ID: 2061451462-0
                            • Opcode ID: 07d64483ac02e8c1bfe2290d631a971a53926e37569bd38bc27c84eb360713e0
                            • Instruction ID: 4fb81ce6c743eaeced460c8d509a5839547e269c7438f615a4521f2a98ef1cc7
                            • Opcode Fuzzy Hash: 07d64483ac02e8c1bfe2290d631a971a53926e37569bd38bc27c84eb360713e0
                            • Instruction Fuzzy Hash: AA2153B4C043898FDB11CFAAD840ADEBFF4AB4A214F04845AD458A7201C338A944CFA6
                            Function 06497030 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 8 6497030-64992bd PeekMessageW 10 64992bf-64992c5 8->10 11 64992c6-64992e7 8->11 10->11
                            APIs
                            • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,06498E62,00000000,00000000,040A60D8,0317CAD4), ref: 064992B0
                            Memory Dump Source
                            • Source File: 00000000.00000002.2602514948.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6490000_new shipment.jbxd
                            Similarity
                            • API ID: MessagePeek
                            • String ID:
                            • API String ID: 2222842502-0
                            • Opcode ID: 95069f099d5db1128df95f331cd0c8a34b6858b349dfbd4a936df1dffecf769d
                            • Instruction ID: eb47d2355bdc986fa2c0348cb79717595bcaa429649e5c1016a673dbac8a07f6
                            • Opcode Fuzzy Hash: 95069f099d5db1128df95f331cd0c8a34b6858b349dfbd4a936df1dffecf769d
                            • Instruction Fuzzy Hash: 5311E7B5C002499FDB10CF9AD444BDEBBF4EB48310F14846AE954A7251D378A944CFA5
                            Function 06499240 Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 13 6499240-64992bd PeekMessageW 14 64992bf-64992c5 13->14 15 64992c6-64992e7 13->15 14->15
                            APIs
                            • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,06498E62,00000000,00000000,040A60D8,0317CAD4), ref: 064992B0
                            Memory Dump Source
                            • Source File: 00000000.00000002.2602514948.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6490000_new shipment.jbxd
                            Similarity
                            • API ID: MessagePeek
                            • String ID:
                            • API String ID: 2222842502-0
                            • Opcode ID: 4cf364348ccbb3a8c62192112fe1b75c041618eb7e2e8b7297944764a3c24960
                            • Instruction ID: 14094a4ba72d7a25cc9f61f3075d236a6716444f37dc2a1487141ec1a6ddab9d
                            • Opcode Fuzzy Hash: 4cf364348ccbb3a8c62192112fe1b75c041618eb7e2e8b7297944764a3c24960
                            • Instruction Fuzzy Hash: 201123B5C002499FDB10CF9AD884BDEBBF4EB08320F14842AE958A3251C378A944CFA1
                            Function 02F8E398 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 17 2f8e398-2f8e3d8 18 2f8e3da-2f8e3dd 17->18 19 2f8e3e0-2f8e40b GetModuleHandleW 17->19 18->19 20 2f8e40d-2f8e413 19->20 21 2f8e414-2f8e428 19->21 20->21
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02F8E3FE
                            Memory Dump Source
                            • Source File: 00000000.00000002.2598562040.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2f80000_new shipment.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: f8439a723a0e706edd8d8e58b5ab796078fb2dfe020468bdb31914cf60ab3016
                            • Instruction ID: 5ff4da89d341bd8dd6037194b5081bc68f71770789ae1ca5d11e3626603ff979
                            • Opcode Fuzzy Hash: f8439a723a0e706edd8d8e58b5ab796078fb2dfe020468bdb31914cf60ab3016
                            • Instruction Fuzzy Hash: 16111DB6C003498FDB10DF9AC544BDEFBF4AB88224F10846AE929A7600C379A545CFA1
                            Function 064988AC Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 23 64988ac-6499a52 DispatchMessageW 25 6499a5b-6499a6f 23->25 26 6499a54-6499a5a 23->26 26->25
                            APIs
                            • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,06498FA7), ref: 06499A45
                            Memory Dump Source
                            • Source File: 00000000.00000002.2602514948.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6490000_new shipment.jbxd
                            Similarity
                            • API ID: DispatchMessage
                            • String ID:
                            • API String ID: 2061451462-0
                            • Opcode ID: e16f86c57ddac14d65422beaf71075ec11588e86882954c118d01117568365c5
                            • Instruction ID: e0b6024b18d1f409bdf7e893a805425b716dad6ad91b853fdf2bbe276c515708
                            • Opcode Fuzzy Hash: e16f86c57ddac14d65422beaf71075ec11588e86882954c118d01117568365c5
                            • Instruction Fuzzy Hash: 9F111DB0C006898FDB10CF9AD844BDEFBF4EB48210F14842AE818A3300D378A944CFA5
                            Function 064914D0 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 28 64914d0-649152f OleInitialize 30 6491533-649153a 28->30 31 649153c-6491542 30->31 32 6491543-6491560 30->32 31->32
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2602514948.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6490000_new shipment.jbxd
                            Similarity
                            • API ID: Initialize
                            • String ID:
                            • API String ID: 2538663250-0
                            • Opcode ID: e98d9b7dcc1719bfa15908629385195343a2aa02c9077c1eea9ec89033074c29
                            • Instruction ID: 07754f617e930639dc91ca873464c0c750928b8c3042136103939ea0c5a2e8d6
                            • Opcode Fuzzy Hash: e98d9b7dcc1719bfa15908629385195343a2aa02c9077c1eea9ec89033074c29
                            • Instruction Fuzzy Hash: CF1130B1C003498FDB20DF9AD848BCEBBF4AB48220F20845AD419A3300D378A940CFA5
                            Function 064999E1 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 35 64999e1-64999e7 36 64999e8-6499a52 DispatchMessageW 35->36 37 6499a5b-6499a6f 36->37 38 6499a54-6499a5a 36->38 38->37
                            APIs
                            • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,06498FA7), ref: 06499A45
                            Memory Dump Source
                            • Source File: 00000000.00000002.2602514948.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6490000_new shipment.jbxd
                            Similarity
                            • API ID: DispatchMessage
                            • String ID:
                            • API String ID: 2061451462-0
                            • Opcode ID: f02baf2a56e049936b998affff7f815e6505d36e852c224332d4f6def8e61742
                            • Instruction ID: 6b70a6495f133a8f6a16fbe39820002204048a8e26cca5c57c6c0cb658e93f63
                            • Opcode Fuzzy Hash: f02baf2a56e049936b998affff7f815e6505d36e852c224332d4f6def8e61742
                            • Instruction Fuzzy Hash: C511FEB5C006898FCB10CF9AD844BCEFBF8EB48314F14842AE418B7640D378A544CFA5
                            Function 064914D8 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 40 64914d8-649152f OleInitialize 41 6491533-649153a 40->41 42 649153c-6491542 41->42 43 6491543-6491560 41->43 42->43
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2602514948.0000000006490000.00000040.00000800.00020000.00000000.sdmp, Offset: 06490000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6490000_new shipment.jbxd
                            Similarity
                            • API ID: Initialize
                            • String ID:
                            • API String ID: 2538663250-0
                            • Opcode ID: f2fb5d43524be7db7cb2714e160cf39c7d3a53a4c09d48fa7a21fc29d7d690ef
                            • Instruction ID: 2223d71a9f0c1d83962beb7fa3a21b3b22c4e2c82fd03ee6fa8121922145e6de
                            • Opcode Fuzzy Hash: f2fb5d43524be7db7cb2714e160cf39c7d3a53a4c09d48fa7a21fc29d7d690ef
                            • Instruction Fuzzy Hash: 98111EB58003498FDB20DF9AD444BDEBBF8AB48320F20845AD519A7340D379AA44CFA5
                            Function 015CD01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2597909175.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_15cd000_new shipment.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d18f0b174d3d2b6ac3f38427b3e905c5074d57d16ef903cbd70b21f6b0a3319f
                            • Instruction ID: 0368dff18e8aa7bc8d47800f1bef51dfa3541090b2ec61dc034e7fc9ad7de6d8
                            • Opcode Fuzzy Hash: d18f0b174d3d2b6ac3f38427b3e905c5074d57d16ef903cbd70b21f6b0a3319f
                            • Instruction Fuzzy Hash: 2621F1755042449FDB15DF98D4C0B2ABBA5FB84614F24C96DD80A9F282D33AD407CAA2
                            Function 015CD2BC Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2597909175.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_15cd000_new shipment.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e8b6eebc5dad5aff561c5e712581f13195f56f36c8069ccb86a93b1826082b8a
                            • Instruction ID: bd8aaff30e74d22b3dde55564bcb2a35872b00239cb29fa22d74b61cef6a266e
                            • Opcode Fuzzy Hash: e8b6eebc5dad5aff561c5e712581f13195f56f36c8069ccb86a93b1826082b8a
                            • Instruction Fuzzy Hash: 2021D1715042449FDB01DF94D9C0B2ABBB5FB84A24F24C97ED8498F282C33AD446CAE2
                            Function 015CD006 Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2597909175.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_15cd000_new shipment.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6d51e70442da87f56c3df077ec59028e18b4f7e9ee2ec9749fe098bc3c1aeb80
                            • Instruction ID: c9a38181cb4f7b46d45c8104a8e7be333200f52da643ff4b93f48a46848a0ee9
                            • Opcode Fuzzy Hash: 6d51e70442da87f56c3df077ec59028e18b4f7e9ee2ec9749fe098bc3c1aeb80
                            • Instruction Fuzzy Hash: 0F2180755093808FCB12CF68D594715BF71FB46214F28C5EED8498F6A7C33A980ACBA2
                            Function 015CD2B7 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2597909175.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_15cd000_new shipment.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d692a0047d57c856fe9c281bc03ca2a8a9bd8913fa11d24a2e87d76695bbbe94
                            • Instruction ID: 2df0a56f1bc5659500aea7841593146cf023252b29ee17aa275fa7cf8ffe1e72
                            • Opcode Fuzzy Hash: d692a0047d57c856fe9c281bc03ca2a8a9bd8913fa11d24a2e87d76695bbbe94
                            • Instruction Fuzzy Hash: DD11D075504680CFCB02CF54D5C0B19BB71FB84624F28C6AED8494B642C33AD406CBA1

                            Executed Functions

                            Function 018929EC Relevance: .5, Instructions: 453COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1449692973.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1890000_new shipment.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 541584cd8b8ca34abff7d2b1ae8db0d20ec1e627ac37afb245ad760b1b632591
                            • Instruction ID: 24fa1cb05976d839d8dce2a63aeaa260742f513c73582ae2fbee611aa8f89ac5
                            • Opcode Fuzzy Hash: 541584cd8b8ca34abff7d2b1ae8db0d20ec1e627ac37afb245ad760b1b632591
                            • Instruction Fuzzy Hash: 6F02EE71906795CFCB628F78C45469ABFF1FF4A318B2844EDC445DB222E73A8952CB42
                            Function 018939F0 Relevance: .3, Instructions: 317COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1449692973.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1890000_new shipment.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5b5ae17c56af7723832c1ce9dfd2b3ed43d646c6f72417645b63ea6ebbfaf2b8
                            • Instruction ID: ce34892a399d5bdb810292cd2418f45da657dba2d24a50f0b02ebd7b7e513e7e
                            • Opcode Fuzzy Hash: 5b5ae17c56af7723832c1ce9dfd2b3ed43d646c6f72417645b63ea6ebbfaf2b8
                            • Instruction Fuzzy Hash: 5FB1C13160A7C1DBC7668F38C8552A6BFB1FF4631832C04EDC882CF256DA3A8955DB46
                            Function 01893E09 Relevance: .3, Instructions: 267COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1449692973.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1890000_new shipment.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0bfe1e679f760e205a6fc4b9267fa6cff355ab146de514546634287db03a8277
                            • Instruction ID: 95dcb64174e8c84d7547067fb1a065855791da862ae5f4965052a862953eff73
                            • Opcode Fuzzy Hash: 0bfe1e679f760e205a6fc4b9267fa6cff355ab146de514546634287db03a8277
                            • Instruction Fuzzy Hash: ED91A334B04219DBDF58EBB4996427E7BB7BFC8700B08856DE542E7388CE3589028B95
                            Function 01890C8F Relevance: .5, Instructions: 546COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1449692973.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1890000_new shipment.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f97df7f1ebbaa701d6e10c9e901577de6bced6e528c25e1cd28965acda462154
                            • Instruction ID: af48d5d2c6f96fe0f00b6ce1696367799d88831eca1743d0eb954e5faad90b98
                            • Opcode Fuzzy Hash: f97df7f1ebbaa701d6e10c9e901577de6bced6e528c25e1cd28965acda462154
                            • Instruction Fuzzy Hash: 5B520E74A00219CFDB64DF64E994B9DB7B2FF88301F1495A6D80AA7364EB345E81CF81
                            Function 01890CA0 Relevance: .5, Instructions: 539COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1449692973.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1890000_new shipment.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2459a18b7a18b01da9357cf29b37fb335de00abf2dc13e475e19cc75554cc098
                            • Instruction ID: a2445e68fa5677a3ea65144de69f0b6ab0fed1f4cfea5b775d5cb1696494b82f
                            • Opcode Fuzzy Hash: 2459a18b7a18b01da9357cf29b37fb335de00abf2dc13e475e19cc75554cc098
                            • Instruction Fuzzy Hash: 23520074A00219CFDB64DF64E994B9DB7B2FF88301F1495A6D80AA7364EB345E81CF81
                            Function 01892790 Relevance: .1, Instructions: 86COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1449692973.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1890000_new shipment.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b3dd96fdcc1ce35b72662e2f1931067119b1912b65d6adcf34ba5689c8042225
                            • Instruction ID: 0d4987af188ba80f88036d1a104b4352603290ad2f2a4f608d7d3429695c6c12
                            • Opcode Fuzzy Hash: b3dd96fdcc1ce35b72662e2f1931067119b1912b65d6adcf34ba5689c8042225
                            • Instruction Fuzzy Hash: B5312674D093498FCB05DFB8D8546EDBFB1EF4A304F1441AAC445AB265EB310A45CBA2
                            Function 018928F0 Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1449692973.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1890000_new shipment.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 552fd1f3e16949f38da935576ad14a246a5b2abbaa17752b5aa1c046b898bcd2
                            • Instruction ID: 7b805119f8b4d6f65426d8a871c1777120b230ed7a198cbca3905551cd540c40
                            • Opcode Fuzzy Hash: 552fd1f3e16949f38da935576ad14a246a5b2abbaa17752b5aa1c046b898bcd2
                            • Instruction Fuzzy Hash: 45219035A00105AFDF15DF68C890DAE77AAEB9D3A0B14C059E809DB250DB31EE06CBD1
                            Function 01894285 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1449692973.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1890000_new shipment.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a6a4950c45c75db51be0a22099d75e98a393741795f0134e56d5d33089d7d5ff
                            • Instruction ID: d2d9eb4fe809c906ba1412c9e701d1850e4271f81fd0f62720f69b72f3f8c39e
                            • Opcode Fuzzy Hash: a6a4950c45c75db51be0a22099d75e98a393741795f0134e56d5d33089d7d5ff
                            • Instruction Fuzzy Hash: F731B478E01308DFCB44DFA8E59489DBBB2FF49305B2490AAE819AB364D735AD41CF50
                            Function 018927F0 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1449692973.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1890000_new shipment.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 84aba784e8da7d964fe5b3036276d6e2e96385a74898f085994311375d348c0d
                            • Instruction ID: 166b4fe59a4fe9396c8be176feab15f667fa316840a949e45b7c73e467d1e3c9
                            • Opcode Fuzzy Hash: 84aba784e8da7d964fe5b3036276d6e2e96385a74898f085994311375d348c0d
                            • Instruction Fuzzy Hash: 5421E074C0524A8FCB05EFA9D8545EEBFF0BF4A300F1451AAD845F6224EB305A95CBA1
                            Function 018928A3 Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1449692973.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1890000_new shipment.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6f8e8529d9f494e58489d9429517e606a2ab031663add1fce758a8c01a44ebf3
                            • Instruction ID: 58a0a8639b4622ddf01ee8b10308f30448b84a80deead6eae9b013be1937afa0
                            • Opcode Fuzzy Hash: 6f8e8529d9f494e58489d9429517e606a2ab031663add1fce758a8c01a44ebf3
                            • Instruction Fuzzy Hash: 20E02632D54366CBCB02E7F49C040EEBF34ADD2221B08869BC0A037090EF30221AC3A1
                            Function 018928B0 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.1449692973.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1890000_new shipment.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 597cc4fb2efa8076280a7e927ea6b37c7d1adbdcdc63a71976004f76a5d58e09
                            • Instruction ID: a7925a47f84833d748cca345b0d4b124d72dd65a835aba162b19291c4699523a
                            • Opcode Fuzzy Hash: 597cc4fb2efa8076280a7e927ea6b37c7d1adbdcdc63a71976004f76a5d58e09
                            • Instruction Fuzzy Hash: D8D01732D2022A979B10AAA9DC048EEBB38EE96621B908626D52437140EB70265986B1