Edit tour

Windows Analysis Report
proforma_Invoice_0009300_74885959969_9876.exe

Overview

General Information

Sample name:	proforma_Invoice_0009300_74885959969_9876.exe
Analysis ID:	1410983
MD5:	8edf0c1d21d2c8af7ec391b6d41e7956
SHA1:	608f1c3c75a4910b6ce7519f58ab3958349b4fcb
SHA256:	ef263c250445fa7bdc89056b3bccad7392d5b51b54bcd605efc949a5bed65a2c
Tags:	exe
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

.NET source code references suspicious native API functions

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sample has a suspicious name (potential lure to open the executable)

Self deletion via cmd or bat file

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

proforma_Invoice_0009300_74885959969_9876.exe (PID: 7496 cmdline: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe MD5: 8EDF0C1D21D2C8AF7EC391B6D41E7956)

proforma_Invoice_0009300_74885959969_9876.exe (PID: 7560 cmdline: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe MD5: 8EDF0C1D21D2C8AF7EC391B6D41E7956)

cmd.exe (PID: 8040 cmdline: C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 8096 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord https://blogs.blackberry.com/en/2022/06/threat-thursday-unique-delivery-method-for-snake-keylogger	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Url", "Exfil Url": "https://scratchdreams.tk/_send_.php?"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x148ff:$a1: get_encryptedPassword 0x14bf5:$a2: get_encryptedUsername 0x1470b:$a3: get_timePasswordChanged 0x14806:$a4: get_passwordField 0x14915:$a5: set_encryptedPassword 0x15f60:$a7: get_logins 0x15ec3:$a10: KeyLoggerEventArgs 0x15b5c:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19883:$x1: $%SMTPDV$ 0x182ea:$x2: $#TheHashHere%& 0x1982b:$x3: %FTPDV$ 0x1825c:$x4: $%TelegramDv$ 0x15b5c:$x5: KeyLoggerEventArgs 0x15ec3:$x5: KeyLoggerEventArgs 0x1984f:$m2: Clipboard Logs ID 0x19a39:$m2: Screenshot Logs ID 0x19b05:$m2: keystroke Logs ID 0x19a11:$m4: \SnakeKeylogger\
00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x56d2f:$a1: get_encryptedPassword 0x7775f:$a1: get_encryptedPassword 0x97f7f:$a1: get_encryptedPassword 0x57025:$a2: get_encryptedUsername 0x77a55:$a2: get_encryptedUsername 0x98275:$a2: get_encryptedUsername 0x56b3b:$a3: get_timePasswordChanged 0x7756b:$a3: get_timePasswordChanged 0x97d8b:$a3: get_timePasswordChanged 0x56c36:$a4: get_passwordField 0x77666:$a4: get_passwordField 0x97e86:$a4: get_passwordField 0x56d45:$a5: set_encryptedPassword 0x77775:$a5: set_encryptedPassword 0x97f95:$a5: set_encryptedPassword 0x58390:$a7: get_logins 0x78dc0:$a7: get_logins 0x995e0:$a7: get_logins 0x582f3:$a10: KeyLoggerEventArgs 0x78d23:$a10: KeyLoggerEventArgs 0x99543:$a10: KeyLoggerEventArgs
00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x5bcb3:$x1: $%SMTPDV$ 0x7c6e3:$x1: $%SMTPDV$ 0x9cf03:$x1: $%SMTPDV$ 0x5a71a:$x2: $#TheHashHere%& 0x7b14a:$x2: $#TheHashHere%& 0x9b96a:$x2: $#TheHashHere%& 0x5bc5b:$x3: %FTPDV$ 0x7c68b:$x3: %FTPDV$ 0x9ceab:$x3: %FTPDV$ 0x5a68c:$x4: $%TelegramDv$ 0x7b0bc:$x4: $%TelegramDv$ 0x9b8dc:$x4: $%TelegramDv$ 0x57f8c:$x5: KeyLoggerEventArgs 0x582f3:$x5: KeyLoggerEventArgs 0x789bc:$x5: KeyLoggerEventArgs 0x78d23:$x5: KeyLoggerEventArgs 0x991dc:$x5: KeyLoggerEventArgs 0x99543:$x5: KeyLoggerEventArgs 0x5bc7f:$m2: Clipboard Logs ID 0x5be69:$m2: Screenshot Logs ID 0x5bf35:$m2: keystroke Logs ID
00000002.00000002.1367436679.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7496	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7496	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7496	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c55d:$a1: get_encryptedPassword 0x3c849:$a2: get_encryptedUsername 0x3c373:$a3: get_timePasswordChanged 0x3c46e:$a4: get_passwordField 0x3c573:$a5: set_encryptedPassword 0x3e9b5:$a7: get_logins 0x3e918:$a10: KeyLoggerEventArgs 0x3e5b1:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7496	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3e5b1:$x5: KeyLoggerEventArgs 0x3e918:$x5: KeyLoggerEventArgs 0x3f4d0:$x5: KeyLoggerEventArgs 0x3f804:$x5: KeyLoggerEventArgs 0x40acc:$m2: Clipboard Logs ID 0x40bbb:$m2: Screenshot Logs ID 0x40bef:$m2: keystroke Logs ID 0x40ba7:$m4: \SnakeKeylogger\
Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7560	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7560	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7560	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7a5c:$a1: get_encryptedPassword 0x7d48:$a2: get_encryptedUsername 0x7872:$a3: get_timePasswordChanged 0x796d:$a4: get_passwordField 0x7a72:$a5: set_encryptedPassword 0x9eb4:$a7: get_logins 0x9e17:$a10: KeyLoggerEventArgs 0x9ab0:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7560	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x9ab0:$x5: KeyLoggerEventArgs 0x9e17:$x5: KeyLoggerEventArgs 0xa9cf:$x5: KeyLoggerEventArgs 0xad03:$x5: KeyLoggerEventArgs 0xbfcb:$m2: Clipboard Logs ID 0xc0ba:$m2: Screenshot Logs ID 0xc0ee:$m2: keystroke Logs ID 0xc0a6:$m4: \SnakeKeylogger\
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.proforma_Invoice_0009300_74885959969_9876.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.proforma_Invoice_0009300_74885959969_9876.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.proforma_Invoice_0009300_74885959969_9876.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.proforma_Invoice_0009300_74885959969_9876.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14aff:$a1: get_encryptedPassword 0x14df5:$a2: get_encryptedUsername 0x1490b:$a3: get_timePasswordChanged 0x14a06:$a4: get_passwordField 0x14b15:$a5: set_encryptedPassword 0x16160:$a7: get_logins 0x160c3:$a10: KeyLoggerEventArgs 0x15d5c:$a11: KeyLoggerEventArgsEventHandler
2.2.proforma_Invoice_0009300_74885959969_9876.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c35b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b58d:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b9c0:$a4: \Orbitum\User Data\Default\Login Data 0x1c9ff:$a5: \Kometa\User Data\Default\Login Data
2.2.proforma_Invoice_0009300_74885959969_9876.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156cf:$s1: UnHook 0x156d6:$s2: SetHook 0x156de:$s3: CallNextHook 0x156eb:$s4: _hook
2.2.proforma_Invoice_0009300_74885959969_9876.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a83:$x1: $%SMTPDV$ 0x184ea:$x2: $#TheHashHere%& 0x19a2b:$x3: %FTPDV$ 0x1845c:$x4: $%TelegramDv$ 0x15d5c:$x5: KeyLoggerEventArgs 0x160c3:$x5: KeyLoggerEventArgs 0x19a4f:$m2: Clipboard Logs ID 0x19c39:$m2: Screenshot Logs ID 0x19d05:$m2: keystroke Logs ID 0x19c11:$m4: \SnakeKeylogger\
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cff:$a1: get_encryptedPassword 0x12ff5:$a2: get_encryptedUsername 0x12b0b:$a3: get_timePasswordChanged 0x12c06:$a4: get_passwordField 0x12d15:$a5: set_encryptedPassword 0x14360:$a7: get_logins 0x142c3:$a10: KeyLoggerEventArgs 0x13f5c:$a11: KeyLoggerEventArgsEventHandler
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a55b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1978d:$a3: \Google\Chrome\User Data\Default\Login Data 0x19bc0:$a4: \Orbitum\User Data\Default\Login Data 0x1abff:$a5: \Kometa\User Data\Default\Login Data
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138cf:$s1: UnHook 0x138d6:$s2: SetHook 0x138de:$s3: CallNextHook 0x138eb:$s4: _hook
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c83:$x1: $%SMTPDV$ 0x166ea:$x2: $#TheHashHere%& 0x17c2b:$x3: %FTPDV$ 0x1665c:$x4: $%TelegramDv$ 0x13f5c:$x5: KeyLoggerEventArgs 0x142c3:$x5: KeyLoggerEventArgs 0x17c4f:$m2: Clipboard Logs ID 0x17e39:$m2: Screenshot Logs ID 0x17f05:$m2: keystroke Logs ID 0x17e11:$m4: \SnakeKeylogger\
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cff:$a1: get_encryptedPassword 0x12ff5:$a2: get_encryptedUsername 0x12b0b:$a3: get_timePasswordChanged 0x12c06:$a4: get_passwordField 0x12d15:$a5: set_encryptedPassword 0x14360:$a7: get_logins 0x142c3:$a10: KeyLoggerEventArgs 0x13f5c:$a11: KeyLoggerEventArgsEventHandler
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a55b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1978d:$a3: \Google\Chrome\User Data\Default\Login Data 0x19bc0:$a4: \Orbitum\User Data\Default\Login Data 0x1abff:$a5: \Kometa\User Data\Default\Login Data
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138cf:$s1: UnHook 0x138d6:$s2: SetHook 0x138de:$s3: CallNextHook 0x138eb:$s4: _hook
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c83:$x1: $%SMTPDV$ 0x166ea:$x2: $#TheHashHere%& 0x17c2b:$x3: %FTPDV$ 0x1665c:$x4: $%TelegramDv$ 0x13f5c:$x5: KeyLoggerEventArgs 0x142c3:$x5: KeyLoggerEventArgs 0x17c4f:$m2: Clipboard Logs ID 0x17e39:$m2: Screenshot Logs ID 0x17f05:$m2: keystroke Logs ID 0x17e11:$m4: \SnakeKeylogger\
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14aff:$a1: get_encryptedPassword 0x3531f:$a1: get_encryptedPassword 0x14df5:$a2: get_encryptedUsername 0x35615:$a2: get_encryptedUsername 0x1490b:$a3: get_timePasswordChanged 0x3512b:$a3: get_timePasswordChanged 0x14a06:$a4: get_passwordField 0x35226:$a4: get_passwordField 0x14b15:$a5: set_encryptedPassword 0x35335:$a5: set_encryptedPassword 0x16160:$a7: get_logins 0x36980:$a7: get_logins 0x160c3:$a10: KeyLoggerEventArgs 0x368e3:$a10: KeyLoggerEventArgs 0x15d5c:$a11: KeyLoggerEventArgsEventHandler 0x3657c:$a11: KeyLoggerEventArgsEventHandler
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c35b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cb7b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b58d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bdad:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b9c0:$a4: \Orbitum\User Data\Default\Login Data 0x3c1e0:$a4: \Orbitum\User Data\Default\Login Data 0x1c9ff:$a5: \Kometa\User Data\Default\Login Data 0x3d21f:$a5: \Kometa\User Data\Default\Login Data
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156cf:$s1: UnHook 0x35eef:$s1: UnHook 0x156d6:$s2: SetHook 0x35ef6:$s2: SetHook 0x156de:$s3: CallNextHook 0x35efe:$s3: CallNextHook 0x156eb:$s4: _hook 0x35f0b:$s4: _hook
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a83:$x1: $%SMTPDV$ 0x3a2a3:$x1: $%SMTPDV$ 0x184ea:$x2: $#TheHashHere%& 0x38d0a:$x2: $#TheHashHere%& 0x19a2b:$x3: %FTPDV$ 0x3a24b:$x3: %FTPDV$ 0x1845c:$x4: $%TelegramDv$ 0x38c7c:$x4: $%TelegramDv$ 0x15d5c:$x5: KeyLoggerEventArgs 0x160c3:$x5: KeyLoggerEventArgs 0x3657c:$x5: KeyLoggerEventArgs 0x368e3:$x5: KeyLoggerEventArgs 0x19a4f:$m2: Clipboard Logs ID 0x19c39:$m2: Screenshot Logs ID 0x19d05:$m2: keystroke Logs ID 0x3a26f:$m2: Clipboard Logs ID 0x3a459:$m2: Screenshot Logs ID 0x3a525:$m2: keystroke Logs ID 0x19c11:$m4: \SnakeKeylogger\ 0x3a431:$m4: \SnakeKeylogger\
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14aff:$a1: get_encryptedPassword 0x3552f:$a1: get_encryptedPassword 0x55d4f:$a1: get_encryptedPassword 0x14df5:$a2: get_encryptedUsername 0x35825:$a2: get_encryptedUsername 0x56045:$a2: get_encryptedUsername 0x1490b:$a3: get_timePasswordChanged 0x3533b:$a3: get_timePasswordChanged 0x55b5b:$a3: get_timePasswordChanged 0x14a06:$a4: get_passwordField 0x35436:$a4: get_passwordField 0x55c56:$a4: get_passwordField 0x14b15:$a5: set_encryptedPassword 0x35545:$a5: set_encryptedPassword 0x55d65:$a5: set_encryptedPassword 0x16160:$a7: get_logins 0x36b90:$a7: get_logins 0x573b0:$a7: get_logins 0x160c3:$a10: KeyLoggerEventArgs 0x36af3:$a10: KeyLoggerEventArgs 0x57313:$a10: KeyLoggerEventArgs
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c35b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cd8b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d5ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b58d:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bfbd:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c7dd:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b9c0:$a4: \Orbitum\User Data\Default\Login Data 0x3c3f0:$a4: \Orbitum\User Data\Default\Login Data 0x5cc10:$a4: \Orbitum\User Data\Default\Login Data 0x1c9ff:$a5: \Kometa\User Data\Default\Login Data 0x3d42f:$a5: \Kometa\User Data\Default\Login Data 0x5dc4f:$a5: \Kometa\User Data\Default\Login Data
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156cf:$s1: UnHook 0x360ff:$s1: UnHook 0x5691f:$s1: UnHook 0x156d6:$s2: SetHook 0x36106:$s2: SetHook 0x56926:$s2: SetHook 0x156de:$s3: CallNextHook 0x3610e:$s3: CallNextHook 0x5692e:$s3: CallNextHook 0x156eb:$s4: _hook 0x3611b:$s4: _hook 0x5693b:$s4: _hook
0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a83:$x1: $%SMTPDV$ 0x3a4b3:$x1: $%SMTPDV$ 0x5acd3:$x1: $%SMTPDV$ 0x184ea:$x2: $#TheHashHere%& 0x38f1a:$x2: $#TheHashHere%& 0x5973a:$x2: $#TheHashHere%& 0x19a2b:$x3: %FTPDV$ 0x3a45b:$x3: %FTPDV$ 0x5ac7b:$x3: %FTPDV$ 0x1845c:$x4: $%TelegramDv$ 0x38e8c:$x4: $%TelegramDv$ 0x596ac:$x4: $%TelegramDv$ 0x15d5c:$x5: KeyLoggerEventArgs 0x160c3:$x5: KeyLoggerEventArgs 0x3678c:$x5: KeyLoggerEventArgs 0x36af3:$x5: KeyLoggerEventArgs 0x56fac:$x5: KeyLoggerEventArgs 0x57313:$x5: KeyLoggerEventArgs 0x19a4f:$m2: Clipboard Logs ID 0x19c39:$m2: Screenshot Logs ID 0x19d05:$m2: keystroke Logs ID
Click to see the 28 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: proforma_Invoice_0009300_74885959969_9876.exe

Avira: detected

Found malware configuration

Source: 00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Url", "Exfil Url": "https://scratchdreams.tk/_send_.php?"}

Multi AV Scanner detection for submitted file

Source: proforma_Invoice_0009300_74885959969_9876.exe

ReversingLabs: Detection: 65%

Machine Learning detection for sample

Source: proforma_Invoice_0009300_74885959969_9876.exe

Joe Sandbox ML: detected

Source: proforma_Invoice_0009300_74885959969_9876.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.10:49705 version: TLS 1.0

Source: proforma_Invoice_0009300_74885959969_9876.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: proforma_Invoice_0009300_74885959969_9876.exe, 00000000.00000002.1263342286.0000000004BC0000.00000004.08000000.00040000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000000.00000002.1261521698.0000000002511000.00000004.00000800.00020000.00000000.sdmp

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.proforma_Invoice_0009300_74885959969_9876.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.194 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.194 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.194 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.194 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.194 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.194 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.194 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.194 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.10:49705 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.194 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.194 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.194 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.194 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.194 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.194 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.194 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/191.96.227.194 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D67000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002DA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002CFC000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D67000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002DA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D67000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002DA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002CFC000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D67000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002DA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002DA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/191.96.227.194
Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002CFC000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D67000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002DA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/191.96.227.194$
Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.proforma_Invoice_0009300_74885959969_9876.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.proforma_Invoice_0009300_74885959969_9876.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.proforma_Invoice_0009300_74885959969_9876.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.proforma_Invoice_0009300_74885959969_9876.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7496, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7496, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7560, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7560, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: proforma_Invoice_0009300_74885959969_9876.exe

Sample has a suspicious name (potential lure to open the executable)

Source: proforma_Invoice_0009300_74885959969_9876.exe

Static file information: Suspicious name

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Code function: 0_2_007BABD8	0_2_007BABD8
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Code function: 2_2_01226168	2_2_01226168
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Code function: 2_2_0122C1F0	2_2_0122C1F0
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Code function: 2_2_0122B388	2_2_0122B388
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Code function: 2_2_0122C4D0	2_2_0122C4D0
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Code function: 2_2_0122C7B2	2_2_0122C7B2
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Code function: 2_2_01226790	2_2_01226790
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Code function: 2_2_012298B8	2_2_012298B8
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Code function: 2_2_01224B31	2_2_01224B31
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Code function: 2_2_0122CA92	2_2_0122CA92
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Code function: 2_2_0122BF12	2_2_0122BF12
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Code function: 2_2_0122B552	2_2_0122B552
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Code function: 2_2_012235CA	2_2_012235CA

Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000000.00000002.1261640738.0000000003511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs proforma_Invoice_0009300_74885959969_9876.exe
Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000000.00000002.1263342286.0000000004BC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs proforma_Invoice_0009300_74885959969_9876.exe
Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000000.00000000.1256291056.000000000014A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTlazo.exe, vs proforma_Invoice_0009300_74885959969_9876.exe
Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000000.00000002.1262161293.0000000004990000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs proforma_Invoice_0009300_74885959969_9876.exe
Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000000.00000002.1261210534.00000000008BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs proforma_Invoice_0009300_74885959969_9876.exe
Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs proforma_Invoice_0009300_74885959969_9876.exe
Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000000.00000002.1261521698.0000000002511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs proforma_Invoice_0009300_74885959969_9876.exe
Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000000.00000002.1261521698.0000000002511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs proforma_Invoice_0009300_74885959969_9876.exe
Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs proforma_Invoice_0009300_74885959969_9876.exe
Source: proforma_Invoice_0009300_74885959969_9876.exe	Binary or memory string: OriginalFilenameTlazo.exe, vs proforma_Invoice_0009300_74885959969_9876.exe

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: proforma_Invoice_0009300_74885959969_9876.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.proforma_Invoice_0009300_74885959969_9876.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.proforma_Invoice_0009300_74885959969_9876.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.proforma_Invoice_0009300_74885959969_9876.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.proforma_Invoice_0009300_74885959969_9876.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7496, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7496, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7560, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7560, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: proforma_Invoice_0009300_74885959969_9876.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack, --z.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack, --z.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack, O--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack, O--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack, --z.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack, --z.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack, O--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack, O--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.35b25d0.5.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.4990000.6.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3563da0.2.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.35b25d0.5.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.4990000.6.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3563da0.2.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@2/2

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\proforma_Invoice_0009300_74885959969_9876.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8052:120:WilError_03

Source: proforma_Invoice_0009300_74885959969_9876.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: proforma_Invoice_0009300_74885959969_9876.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: proforma_Invoice_0009300_74885959969_9876.exe

ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process created: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process created: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: proforma_Invoice_0009300_74885959969_9876.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: proforma_Invoice_0009300_74885959969_9876.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: proforma_Invoice_0009300_74885959969_9876.exe

Static PE information: 0xE7C2A12D [Thu Mar 19 09:09:01 2093 UTC]

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Code function: 2_2_01222511 push 8BFFFFFFh; retf

2_2_01222517

Source: proforma_Invoice_0009300_74885959969_9876.exe

Static PE information: section name: .text entropy: 7.670254764246

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process created: C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process created: C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe			Jump to behavior

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Memory allocated: 7B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Memory allocated: 2510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Memory allocated: 800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Memory allocated: 1180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Memory allocated: 1180000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 597885	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 594641	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 594531	Jump to behavior

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Window / User API: threadDelayed 8074			Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Window / User API: threadDelayed 1709			Jump to behavior

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 7552	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8016	Thread sleep count: 8074 > 30	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8016	Thread sleep count: 1709 > 30	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -599124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -597885s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -596891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -595891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -595766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -595656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -595313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -594641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe TID: 8012	Thread sleep time: -594531s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 597885	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 594641	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Thread delayed: delay time: 594531	Jump to behavior

Source: proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1365926688.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.2520ea4.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.2520ea4.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.2520ea4.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Memory written: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process created: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Queries volume information: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Queries volume information: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 2.2.proforma_Invoice_0009300_74885959969_9876.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1367436679.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7560, type: MEMORYSTR

Source: Yara match	File source: 2.2.proforma_Invoice_0009300_74885959969_9876.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7560, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 2.2.proforma_Invoice_0009300_74885959969_9876.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3666c60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proforma_Invoice_0009300_74885959969_9876.exe.3646230.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1367436679.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: proforma_Invoice_0009300_74885959969_9876.exe PID: 7560, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 File Deletion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
proforma_Invoice_0009300_74885959969_9876.exe	66%	ReversingLabs	Win32.Trojan.Leonem
proforma_Invoice_0009300_74885959969_9876.exe	100%	Avira	HEUR/AGEN.1307394
proforma_Invoice_0009300_74885959969_9876.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://scratchdreams.tk	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/191.96.227.194	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/191.96.227.194$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.67.152	true	false	unknown
checkip.dyndns.com	193.122.6.168	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/191.96.227.194	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002CFC000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D67000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002DA3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002CFC000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D67000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002DA3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D67000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002DA3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/191.96.227.194$	proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002CFC000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D67000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002DA3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	proforma_Invoice_0009300_74885959969_9876.exe, 00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://scratchdreams.tk	proforma_Invoice_0009300_74885959969_9876.exe, 00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://reallyfreegeoip.org	proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002D67000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002DA3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	proforma_Invoice_0009300_74885959969_9876.exe, 00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1367436679.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, proforma_Invoice_0009300_74885959969_9876.exe, 00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.67.152	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1410983
Start date and time:	2024-03-18 14:29:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	proforma_Invoice_0009300_74885959969_9876.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 59 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target proforma_Invoice_0009300_74885959969_9876.exe, PID 7560 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: proforma_Invoice_0009300_74885959969_9876.exe

Simulations

Behavior and APIs

Time	Type	Description
14:30:12	API Interceptor	55x Sleep call for process: proforma_Invoice_0009300_74885959969_9876.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.67.152	ATM Dekont E-Maili pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse
	Q88 09284823910.scr.exe	Get hash	malicious	Snake Keylogger	Browse
	SecuriteInfo.com.Trojan.PackedNET.2725.8730.30889.exe	Get hash	malicious	Snake Keylogger	Browse
	vessel details.exe	Get hash	malicious	Snake Keylogger	Browse
	SecuriteInfo.com.Trojan.PackedNET.2725.27231.18654.exe	Get hash	malicious	Snake Keylogger	Browse
	Ship Particulars.exe	Get hash	malicious	Snake Keylogger	Browse
	SecuriteInfo.com.Trojan.PackedNET.2725.26841.22155.exe	Get hash	malicious	Snake Keylogger	Browse
	Bq4jHI36wz.exe	Get hash	malicious	Snake Keylogger	Browse
	z16O865459999HY.exe	Get hash	malicious	Snake Keylogger	Browse
	fatura.exe	Get hash	malicious	Snake Keylogger	Browse
193.122.6.168	SecuriteInfo.com.Trojan.PackedNET.2725.8730.30889.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.PackedNET.2725.27231.18654.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.PackedNET.2725.26841.22155.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Bztahpxu.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	Vessel Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	scan copy.jar	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.Packed2.46253.18026.16688.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	z95F6545600000880000.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	roundup.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	checkip.dyndns.org/
	Shipment Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	xdd6BRIg0O.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	132.226.247.73
	ATM Dekont E-Maili pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	Halkbank_Ekstre_20240312_081829_752731.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Contract.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	Q88 09284823910.scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Mquqdysqqv.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	#U83e0#U841d#U5305#U8f7b#U5c0f#U8bf4 5.0.36.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	193.122.130.0
	lO6Cysph34.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Trojan.PackedNET.2725.1552.3502.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Trojan.PackedNET.2725.8730.30889.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
reallyfreegeoip.org	xdd6BRIg0O.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	172.67.177.134
	ATM Dekont E-Maili pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.67.152
	Halkbank_Ekstre_20240312_081829_752731.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Q88 09284823910.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	lO6Cysph34.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	SecuriteInfo.com.Trojan.PackedNET.2725.1552.3502.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	SecuriteInfo.com.Trojan.PackedNET.2725.8730.30889.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	vessel details.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	rTheRequestedReceipt.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	SecuriteInfo.com.Trojan.PackedNET.2725.27231.18654.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	LhypGRxeG7.elf	Get hash	malicious	Unknown	Browse	144.25.132.65
	4M8Yu1QU0d.elf	Get hash	malicious	Unknown	Browse	129.147.75.201
	1WqX6biryS.elf	Get hash	malicious	Mirai	Browse	140.238.50.78
	z75cWRJMWK.elf	Get hash	malicious	Mirai	Browse	144.25.132.41
	https://click.mail.medscape.com/?qs=d29946ce324b9b8c35e39f9ef27e10469f84e4360a327939d125e1248dd1822d98e434249b0c23dca093cf09248a0fcaf8fe17f890176377	Get hash	malicious	Unknown	Browse	150.136.26.45
	SecuriteInfo.com.ELF.Agent-AIN.23345.28475.elf	Get hash	malicious	Mirai	Browse	168.138.86.96
	ATM Dekont E-Maili pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	Halkbank_Ekstre_20240312_081829_752731.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Contract.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	Q88 09284823910.scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
CLOUDFLARENETUS	SOA FEB 2024.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	gMCSnfJRqp.exe	Get hash	malicious	FormBook	Browse	172.67.169.232
	qPAi9IP2Ck.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	172.67.75.166
	https://cloudflare-ipfs.com/ipfs/bafkreif2klim7glbgcsrfe6lm7wfd2scwmhee5i6dglyggzgvjgl53zw2i/#ZHdlbnNlbEBob2xsYW5kY28uY29t	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://drive.google.com/file/d/1IKxLiXVTT7OY6TeIorneTBc8KCU0p08q/view?usp=sharing#urNkDtydE8	Get hash	malicious	Phisher	Browse	104.22.6.203
	https://cthompson-vsc16.coupacloud.com/quotes/external_responses/b30e6941a7e0553e0d3b5d318c8a406aefe85fa0bd4d5e844560a248434cc9ccd28fbee0140d9980/terms?response_intend=true	Get hash	malicious	Unknown	Browse	162.247.243.29
	https://cthompson-vsc16.coupacloud.com/quotes/external_responses/b30e6941a7e0553e0d3b5d318c8a406aefe85fa0bd4d5e844560a248434cc9ccd28fbee0140d9980/terms?response_intend=true	Get hash	malicious	Unknown	Browse	104.16.126.175
	metadata.xml	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://onlinecgtapp.miros-app.com/browns-restaurants/property-value//imported/sso/t1//YnJpYW4uYXRraW5zb25AdmlyZ2lubW9uZXkuY29t	Get hash	malicious	Unknown	Browse	162.247.243.29
	SSDAIG33Zh.exe	Get hash	malicious	Babuk, Djvu	Browse	104.21.65.24

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	xdd6BRIg0O.exe	Get hash	malicious	PureLog Stealer, RedLine, Snake Keylogger	Browse	104.21.67.152
	file.exe	Get hash	malicious	LummaC, Babuk, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader	Browse	104.21.67.152
	SecuriteInfo.com.Program.Unwanted.5011.4925.3230.exe	Get hash	malicious	PureLog Stealer	Browse	104.21.67.152
	SecuriteInfo.com.Program.Unwanted.5011.4925.3230.exe	Get hash	malicious	PureLog Stealer	Browse	104.21.67.152
	wsr3iUW0I0.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer	Browse	104.21.67.152
	ATM Dekont E-Maili pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.67.152
	Halkbank_Ekstre_20240312_081829_752731.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	qOOq45FKRf.exe	Get hash	malicious	PureLog Stealer, Xehook Stealer	Browse	104.21.67.152
	Q88 09284823910.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	https://docs.google.com/drawings/d/1FOCmojL-27dX1mBuFcZy_UU5JFnHcfx3tkIooi0YGzA/preview	Get hash	malicious	Unknown	Browse	104.21.67.152

Process:	C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	706
Entropy (8bit):	5.349842958726647
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKharkvoDLI4MWuCq1KDLI4Mq92n4M6:ML9E4KlKDE4KhKiKhIE4Kx1qE4x84j
MD5:	A29F1F0983CFE0767B56BD3F32906196
SHA1:	A38543CAD5E151383FA945FF880856DC502A1224
SHA-256:	B892C3A6D2059FF69822E3A0003923BE0C0B2259C0E4904E30BB10C3D6E575F6
SHA-512:	FF52BC638E135EB070B6291808FE57FE8F2A37BB9F32DF2D6A885B30CC37268237A110E419975F19FB08878544787FA9D6A0AA07DC6911E08FBF52155F64DE42
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.657258105956618
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	proforma_Invoice_0009300_74885959969_9876.exe
File size:	486'400 bytes
MD5:	8edf0c1d21d2c8af7ec391b6d41e7956
SHA1:	608f1c3c75a4910b6ce7519f58ab3958349b4fcb
SHA256:	ef263c250445fa7bdc89056b3bccad7392d5b51b54bcd605efc949a5bed65a2c
SHA512:	607ddaaca6ce64dab274b6ebdf84968c81f0712e9bea10a2733f3f4a27a85c7ce5b001e111ddd615bc1606059e993e7f8a6f77725a511163b026557da6bcc8bb
SSDEEP:	12288:lKnXO0XBsehmTPtbvlTuy7EBXWaebaC31Xykn1IXPYnc:uRQp1uiEBXWaebaC31ikn1I/Yc
TLSH:	63A4E01627AD8331C95F47B6F861401397F1D1B27A85EFAC6DC4ACD68107B828D41BBE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-.................0..b............... ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x47800e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE7C2A12D [Thu Mar 19 09:09:01 2093 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x77fc0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7a000	0x596	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x76014	0x76200	7f9d5a3d72986640c32f611167cbd2c2	False	0.7568018353174604	SysEx File -	7.670254764246	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x7a000	0x596	0x600	34c5c3e98a52ac64c03d1752d8d60871	False	0.4114583333333333	data	4.061531458546445	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7c000	0xc	0x200	49e3b91cb77e6791135caa460067087e	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x7a0a0	0x30c	data			0.4166666666666667
RT_MANIFEST	0x7a3ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 18, 2024 14:30:10.162389040 CET	49704	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:10.345711946 CET	80	49704	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:10.345882893 CET	49704	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:10.354036093 CET	49704	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:10.537204981 CET	80	49704	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:12.907377958 CET	80	49704	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:12.917053938 CET	49704	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:13.100317955 CET	80	49704	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:13.103790045 CET	80	49704	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:13.158864975 CET	49704	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:13.252100945 CET	49705	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:13.252147913 CET	443	49705	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:13.252233982 CET	49705	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:13.260482073 CET	49705	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:13.260500908 CET	443	49705	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:13.467175961 CET	443	49705	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:13.467355967 CET	49705	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:13.473589897 CET	49705	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:13.473604918 CET	443	49705	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:13.474056959 CET	443	49705	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:13.518270016 CET	49705	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:13.583745956 CET	49705	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:13.624248028 CET	443	49705	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:13.682579994 CET	443	49705	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:13.682905912 CET	443	49705	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:13.683016062 CET	49705	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:13.689925909 CET	49705	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:13.695774078 CET	49704	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:13.882498026 CET	80	49704	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:13.885984898 CET	49706	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:13.886030912 CET	443	49706	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:13.886100054 CET	49706	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:13.887029886 CET	49706	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:13.887046099 CET	443	49706	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:13.924504042 CET	49704	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:14.086186886 CET	443	49706	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:14.099186897 CET	49706	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:14.099214077 CET	443	49706	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:14.313885927 CET	443	49706	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:14.314008951 CET	443	49706	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:14.314094067 CET	49706	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:14.314755917 CET	49706	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:14.323611975 CET	49704	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:14.325324059 CET	49707	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:14.495047092 CET	80	49707	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:14.495183945 CET	49707	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:14.495388031 CET	49707	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:14.506814003 CET	80	49704	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:14.507038116 CET	49704	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:14.665173054 CET	80	49707	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:14.754085064 CET	80	49707	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:14.755681992 CET	49708	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:14.755717039 CET	443	49708	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:14.755789995 CET	49708	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:14.756113052 CET	49708	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:14.756127119 CET	443	49708	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:14.799498081 CET	49707	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:14.941438913 CET	443	49708	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:14.943566084 CET	49708	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:14.943591118 CET	443	49708	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:15.170397997 CET	443	49708	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:15.170494080 CET	443	49708	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:15.170553923 CET	49708	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:15.171194077 CET	49708	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:15.181200027 CET	49709	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:15.351272106 CET	80	49709	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:15.351337910 CET	49709	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:15.351536989 CET	49709	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:15.521845102 CET	80	49709	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:15.796169043 CET	80	49709	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:15.797830105 CET	49710	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:15.797867060 CET	443	49710	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:15.797946930 CET	49710	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:15.798399925 CET	49710	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:15.798413992 CET	443	49710	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:15.846364975 CET	49709	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:15.984399080 CET	443	49710	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:15.991938114 CET	49710	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:15.991966963 CET	443	49710	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:16.223689079 CET	443	49710	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:16.223771095 CET	443	49710	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:16.223830938 CET	49710	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:16.224847078 CET	49710	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:16.232431889 CET	49709	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:16.234040022 CET	49711	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:16.402240038 CET	80	49709	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:16.402333975 CET	49709	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:16.403316021 CET	80	49711	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:16.403393030 CET	49711	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:16.403595924 CET	49711	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:16.573739052 CET	80	49711	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:16.595854998 CET	80	49711	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:16.597526073 CET	49712	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:16.597584009 CET	443	49712	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:16.597651958 CET	49712	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:16.598118067 CET	49712	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:16.598129988 CET	443	49712	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:16.643361092 CET	49711	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:17.083333015 CET	443	49712	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:17.086390018 CET	49712	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:17.086427927 CET	443	49712	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:17.270988941 CET	443	49712	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:17.271100998 CET	443	49712	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:17.271161079 CET	49712	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:17.271846056 CET	49712	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:17.282689095 CET	49711	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:17.284461975 CET	49713	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:17.454571962 CET	80	49711	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:17.454685926 CET	49711	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:17.457106113 CET	80	49713	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:17.457189083 CET	49713	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:17.457396984 CET	49713	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:17.629509926 CET	80	49713	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:17.630165100 CET	80	49713	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:17.631931067 CET	49714	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:17.631970882 CET	443	49714	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:17.632070065 CET	49714	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:17.632529974 CET	49714	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:17.632544041 CET	443	49714	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:17.674498081 CET	49713	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:17.818650007 CET	443	49714	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:17.820580006 CET	49714	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:17.820606947 CET	443	49714	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:18.047200918 CET	443	49714	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:18.047291040 CET	443	49714	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:18.047401905 CET	49714	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:18.048165083 CET	49714	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:18.054171085 CET	49713	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:18.055773020 CET	49715	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:18.226171017 CET	80	49713	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:18.226246119 CET	49713	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:18.238095999 CET	80	49715	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:18.238173008 CET	49715	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:18.238365889 CET	49715	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:18.420629978 CET	80	49715	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:18.421215057 CET	80	49715	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:18.422873020 CET	49716	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:18.422914028 CET	443	49716	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:18.422980070 CET	49716	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:18.423362970 CET	49716	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:18.423377991 CET	443	49716	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:18.471395969 CET	49715	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:18.618659973 CET	443	49716	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:18.620373964 CET	49716	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:18.620398045 CET	443	49716	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:18.862828016 CET	443	49716	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:18.862993002 CET	443	49716	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:18.863056898 CET	49716	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:18.865253925 CET	49716	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:18.873950005 CET	49715	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:18.876652002 CET	49717	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:19.048525095 CET	80	49717	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:19.048634052 CET	49717	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:19.048847914 CET	49717	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:19.057862997 CET	80	49715	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:19.057934999 CET	49715	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:19.218816996 CET	80	49717	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:19.219835997 CET	80	49717	193.122.6.168	192.168.2.10
Mar 18, 2024 14:30:19.221715927 CET	49718	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:19.221755981 CET	443	49718	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:19.221822023 CET	49718	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:19.222291946 CET	49718	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:19.222310066 CET	443	49718	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:19.268378019 CET	49717	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:19.410573959 CET	443	49718	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:19.412587881 CET	49718	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:19.412622929 CET	443	49718	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:19.638044119 CET	443	49718	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:19.638273954 CET	443	49718	104.21.67.152	192.168.2.10
Mar 18, 2024 14:30:19.638356924 CET	49718	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:19.639107943 CET	49718	443	192.168.2.10	104.21.67.152
Mar 18, 2024 14:30:19.908931017 CET	49717	80	192.168.2.10	193.122.6.168
Mar 18, 2024 14:30:19.909010887 CET	49707	80	192.168.2.10	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 18, 2024 14:30:09.808936119 CET	61346	53	192.168.2.10	1.1.1.1
Mar 18, 2024 14:30:09.897511959 CET	53	61346	1.1.1.1	192.168.2.10
Mar 18, 2024 14:30:13.157970905 CET	65356	53	192.168.2.10	1.1.1.1
Mar 18, 2024 14:30:13.247292042 CET	53	65356	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 18, 2024 14:30:09.808936119 CET	192.168.2.10	1.1.1.1	0xab69	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 18, 2024 14:30:13.157970905 CET	192.168.2.10	1.1.1.1	0x66f8	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 18, 2024 14:30:09.897511959 CET	1.1.1.1	192.168.2.10	0xab69	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 18, 2024 14:30:09.897511959 CET	1.1.1.1	192.168.2.10	0xab69	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 18, 2024 14:30:09.897511959 CET	1.1.1.1	192.168.2.10	0xab69	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 18, 2024 14:30:09.897511959 CET	1.1.1.1	192.168.2.10	0xab69	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 18, 2024 14:30:09.897511959 CET	1.1.1.1	192.168.2.10	0xab69	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 18, 2024 14:30:09.897511959 CET	1.1.1.1	192.168.2.10	0xab69	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 18, 2024 14:30:13.247292042 CET	1.1.1.1	192.168.2.10	0x66f8	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Mar 18, 2024 14:30:13.247292042 CET	1.1.1.1	192.168.2.10	0x66f8	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49704	193.122.6.168	80	7560	C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2024 14:30:10.354036093 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 18, 2024 14:30:12.907377958 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Mar 2024 13:30:12 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3daaf5653c1d1f527fbe4a3ac2154007 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 31 39 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.194</body></html>
Mar 18, 2024 14:30:12.917053938 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 18, 2024 14:30:13.103790045 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Mar 2024 13:30:13 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2dd5a76197dfe429398d0bc1d114d26b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 31 39 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.194</body></html>
Mar 18, 2024 14:30:13.695774078 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 18, 2024 14:30:13.882498026 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Mar 2024 13:30:13 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5c1824d4b235cd8791240e1422531eb6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 31 39 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.194</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49707	193.122.6.168	80	7560	C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2024 14:30:14.495388031 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 18, 2024 14:30:14.754085064 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Mar 2024 13:30:14 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6eb2db7b7b9b306e62afaaec75d60dd9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 31 39 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.194</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49709	193.122.6.168	80	7560	C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2024 14:30:15.351536989 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 18, 2024 14:30:15.796169043 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Mar 2024 13:30:15 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7af937a79b7db7bae48a0b11130d3049 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 31 39 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.194</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49711	193.122.6.168	80	7560	C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2024 14:30:16.403595924 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 18, 2024 14:30:16.595854998 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Mar 2024 13:30:16 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b9ace1c0cbe6a689623ec9640db989ab Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 31 39 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.194</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49713	193.122.6.168	80	7560	C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2024 14:30:17.457396984 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 18, 2024 14:30:17.630165100 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Mar 2024 13:30:17 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 87c3f84ff62b2e0599b54d6464c175a4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 31 39 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.194</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49715	193.122.6.168	80	7560	C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2024 14:30:18.238365889 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 18, 2024 14:30:18.421215057 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Mar 2024 13:30:18 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6c0cedbdd17a06e15faee50e14ba7b90 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 31 39 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.194</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49717	193.122.6.168	80	7560	C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2024 14:30:19.048847914 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 18, 2024 14:30:19.219835997 CET	323	IN	HTTP/1.1 200 OK Date: Mon, 18 Mar 2024 13:30:19 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 04bba6d368d4a4ef031856e49cea5b83 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 32 32 37 2e 31 39 34 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.227.194</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49705	104.21.67.152	443	7560	C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-18 13:30:13 UTC	87	OUT	GET /xml/191.96.227.194 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-03-18 13:30:13 UTC	705	IN	HTTP/1.1 200 OK Date: Mon, 18 Mar 2024 13:30:13 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 8233 Last-Modified: Mon, 18 Mar 2024 11:13:00 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R2FU%2BvXroD031u9NnzeMqOdJlfL5ddfjY5fMsuIX7cuspJp8gc2Qbx%2B88r2Q3gvd2rIfkC0OI6b8nBdkGR859sFextZGqodZ%2Bl1zjIfWXWedHRI2Z7zzKvZQlaBf2OhEyHo4pP1V"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8665937b291178e8-EWR alt-svc: h3=":443"; ma=86400
2024-03-18 13:30:13 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 31 39 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.194</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-03-18 13:30:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49706	104.21.67.152	443	7560	C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-18 13:30:14 UTC	63	OUT	GET /xml/191.96.227.194 HTTP/1.1 Host: reallyfreegeoip.org
2024-03-18 13:30:14 UTC	709	IN	HTTP/1.1 200 OK Date: Mon, 18 Mar 2024 13:30:14 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 8234 Last-Modified: Mon, 18 Mar 2024 11:13:00 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EjnvoA87w6MSCOMY0RwE1y%2F2cNnb0w9%2F7QMSt1mRzw7g1OpSLtd0B4lC0p8HKYcD0NgUACenx9yKREHtUV6QU2%2BWbyWF1By1gAARRaAPsNc1XEf2mmQzNZYcriDL%2BJVyjpUCjb%2FF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8665937f1d8041e9-EWR alt-svc: h3=":443"; ma=86400
2024-03-18 13:30:14 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 31 39 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.194</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-03-18 13:30:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49708	104.21.67.152	443	7560	C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-18 13:30:14 UTC	87	OUT	GET /xml/191.96.227.194 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-03-18 13:30:15 UTC	713	IN	HTTP/1.1 200 OK Date: Mon, 18 Mar 2024 13:30:15 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 8235 Last-Modified: Mon, 18 Mar 2024 11:13:00 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O3GtkZLtmlYa0vzSTVuCGOiydQROW5aPBGVwWpv2glgvH1Gto%2B%2BEtgfsMTj8k7XKRcRVl%2Bi9ukmK1yCtS9eC%2B3dfzVzXzSLx5Br%2BMsbleWh9te%2B88fq7O3SHMWDbc%2Fzg8OFi84J3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 866593847a9c236b-EWR alt-svc: h3=":443"; ma=86400
2024-03-18 13:30:15 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 31 39 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.194</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-03-18 13:30:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49710	104.21.67.152	443	7560	C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-18 13:30:15 UTC	87	OUT	GET /xml/191.96.227.194 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-03-18 13:30:16 UTC	705	IN	HTTP/1.1 200 OK Date: Mon, 18 Mar 2024 13:30:16 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 8236 Last-Modified: Mon, 18 Mar 2024 11:13:00 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=04H%2FWR2fiWTMt8vxqyd7SQLSc9WgPonnKEtIohAZ7ebDqJ5o1NNBxvEe8cz%2B4ropGM3AG7HERAz3DdkY7uvZDi1O5%2B444k2DLoQH1YoybM0OalXccH9PESPxqakKZakqMuGJQ7AW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8665938aff094257-EWR alt-svc: h3=":443"; ma=86400
2024-03-18 13:30:16 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 31 39 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.194</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-03-18 13:30:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49712	104.21.67.152	443	7560	C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-18 13:30:17 UTC	87	OUT	GET /xml/191.96.227.194 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-03-18 13:30:17 UTC	707	IN	HTTP/1.1 200 OK Date: Mon, 18 Mar 2024 13:30:17 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 8237 Last-Modified: Mon, 18 Mar 2024 11:13:00 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7RZexeFg3CngDrDHlPrBSeZ4SPz%2BJrqjFpVLQRzKY36Cg9jDVB6GqcsPzo7%2Bvt4pTF0bnW8VjlusFRq981czR6NWKIDVsHO6UDfjkNt4%2BWFmbzB9pJ2gNvJQx%2FI7N4GDXVaIibC8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 866593919e5380e2-EWR alt-svc: h3=":443"; ma=86400
2024-03-18 13:30:17 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 31 39 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.194</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-03-18 13:30:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49714	104.21.67.152	443	7560	C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-18 13:30:17 UTC	87	OUT	GET /xml/191.96.227.194 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-03-18 13:30:18 UTC	707	IN	HTTP/1.1 200 OK Date: Mon, 18 Mar 2024 13:30:18 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 8237 Last-Modified: Mon, 18 Mar 2024 11:13:00 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zNVhSl%2FBbViYP%2BEUkceIWRFE1ySfD5xNFKB6pCPd3hUu7YWfdalt5EN73xBuTmz4gy8OMl8NARcXbfqJu6XGK9xnkc8xX2Px%2BKoLG2Up0zn%2FLAUmI3PShk6SUfz40HvJUkNoLPvL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 866593966d127283-EWR alt-svc: h3=":443"; ma=86400
2024-03-18 13:30:18 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 31 39 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.194</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-03-18 13:30:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49716	104.21.67.152	443	7560	C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-18 13:30:18 UTC	87	OUT	GET /xml/191.96.227.194 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-03-18 13:30:18 UTC	711	IN	HTTP/1.1 200 OK Date: Mon, 18 Mar 2024 13:30:18 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 8238 Last-Modified: Mon, 18 Mar 2024 11:13:00 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Di99ngiSquyYBHhYYLvFEGevjryDBZgO8DidNkB5R8l71c0QS4C6gSi4Jzwl9%2FzuWKC0FLYZWZN64WN7VsQLG1CGyFqRrLtfsSr%2FQqZYW%2F%2FC8mPnCIDFDBftn7X0FM%2F%2Fw7ByE5UT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8665939b7c0f8c5d-EWR alt-svc: h3=":443"; ma=86400
2024-03-18 13:30:18 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 31 39 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.194</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-03-18 13:30:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49718	104.21.67.152	443	7560	C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-18 13:30:19 UTC	87	OUT	GET /xml/191.96.227.194 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-03-18 13:30:19 UTC	709	IN	HTTP/1.1 200 OK Date: Mon, 18 Mar 2024 13:30:19 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 8239 Last-Modified: Mon, 18 Mar 2024 11:13:00 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vClAhbdTr63hlkUy%2BvWxUKlQk%2Bh9sXH04jyw2XtsdPorLBOq05ruh4hx9MVYoOMiUc4a42FqIWCtdYmPCdiIeixOEA%2BNDD3ZIbTPgcIXz%2BTRVJoEXTgkLlUlJo546nLaUgbi%2Bj6M"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 866593a05c66422e-EWR alt-svc: h3=":443"; ma=86400
2024-03-18 13:30:19 UTC	369	IN	Data Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 32 32 37 2e 31 39 34 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 41 5a 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 41 72 69 7a 6f 6e 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 50 68 6f 65 6e 69 78 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 35 30 30 34 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 50 68 6f 65 6e 69 78 3c 2f 54 69 Data Ascii: 16a<Response><IP>191.96.227.194</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>AZ</RegionCode><RegionName>Arizona</RegionName><City>Phoenix</City><ZipCode>85004</ZipCode><TimeZone>America/Phoenix</Ti
2024-03-18 13:30:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	14:30:07
Start date:	18/03/2024
Path:	C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe
Imagebase:	0xd0000
File size:	486'400 bytes
MD5 hash:	8EDF0C1D21D2C8AF7EC391B6D41E7956
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1261640738.0000000003604000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:30:08
Start date:	18/03/2024
Path:	C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe
Imagebase:	0x7a0000
File size:	486'400 bytes
MD5 hash:	8EDF0C1D21D2C8AF7EC391B6D41E7956
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.1365533258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.1367436679.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:30:18
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\proforma_Invoice_0009300_74885959969_9876.exe
Imagebase:	0xd70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:30:18
Start date:	18/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:30:18
Start date:	18/03/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0xd50000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	76%
Total number of Nodes:	25
Total number of Limit Nodes:	1

Executed Functions

Function 007BABD8 Relevance: 1.9, Strings: 1, Instructions: 615
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 007BB388

Memory Dump Source

Source File: 00000000.00000002.1261144534.00000000007B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 3d40e27a04dd1c553442feee0959149f7290b313447b15824e9c2ed85c5e503d
Instruction ID: 5c874a3657ddbc3c980ba5a31a57a87745b121974f9b264d4170a3cbf0a4dd2f
Opcode Fuzzy Hash: 3d40e27a04dd1c553442feee0959149f7290b313447b15824e9c2ed85c5e503d
Instruction Fuzzy Hash: E652B174E01228CFDB65DF69C954BEDBBB2BF89300F5081E99409AB291DB749E85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 007B9F2C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 007BB8D9

Memory Dump Source

Source File: 00000000.00000002.1261144534.00000000007B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 383ec334321c15562d98ba43e228e085a8776f8d9f5d983f0b37a0befb202202
Instruction ID: dde4f98b123564f9d2596e42816fd1222a1a8dc00c46bbdf1f1e77e393e96c0d
Opcode Fuzzy Hash: 383ec334321c15562d98ba43e228e085a8776f8d9f5d983f0b37a0befb202202
Instruction Fuzzy Hash: 8A81C175D00229DFEB20CFA5C844BDDBBF5AB09300F1491AAE508B7220DB74AA89CF54

Uniqueness

Uniqueness Score: -1.00%

Function 007BA7B0 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 007BA883

Memory Dump Source

Source File: 00000000.00000002.1261144534.00000000007B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3e7eea559a726b6d19ef83deac2f07131ff4d56cac2cb362773b21e36e22a7ae
Instruction ID: d9af6c4d088c768caf4cc264f6c9deef1cd99bb08ec842440966a871263d05c9
Opcode Fuzzy Hash: 3e7eea559a726b6d19ef83deac2f07131ff4d56cac2cb362773b21e36e22a7ae
Instruction Fuzzy Hash: 0B41BBB5D012589FCF10DFA9D984ADEFBF1BB49310F24902AE818B7210D779AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 007B9F50 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 007BBBE5

Memory Dump Source

Source File: 00000000.00000002.1261144534.00000000007B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a3a1712eb227b25738d742d36e4bcb768e5bbdb23952069058f770d9b75c281c
Instruction ID: 54e64c0aa0b987769a4f6f1bca64869db07d3a01185cf78762db63a858718339
Opcode Fuzzy Hash: a3a1712eb227b25738d742d36e4bcb768e5bbdb23952069058f770d9b75c281c
Instruction Fuzzy Hash: D14178B9D04258DFCF10CFAAD984AEEFBB5BB19310F14902AE814B7210D375A945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 007BA908 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 007BA9B2

Memory Dump Source

Source File: 00000000.00000002.1261144534.00000000007B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0cf1e94334104d57abd41cc0a5186d7e2f37f6e829e444c87c109860d611d0eb
Instruction ID: 35f1e356bf91423352c9cfcc68ae18ac24b20982a4365434e0544ea5a2435006
Opcode Fuzzy Hash: 0cf1e94334104d57abd41cc0a5186d7e2f37f6e829e444c87c109860d611d0eb
Instruction Fuzzy Hash: 5831A8B9D002589FCF10CFAAD980ADEFBB1BB49310F10942AE814B7210D735A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 007BA688 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 007BA737

Memory Dump Source

Source File: 00000000.00000002.1261144534.00000000007B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 983148e390f146e136cc34e955175640e67f29420e6ca2a3cef27633941ff1fe
Instruction ID: 794216a5ce2872acd80cccc1e06e441240cacd81834361cfaa64c92cb13307a2
Opcode Fuzzy Hash: 983148e390f146e136cc34e955175640e67f29420e6ca2a3cef27633941ff1fe
Instruction Fuzzy Hash: 3C31BBB5D002589FDB14DFAAD884AEEFBF1BF49310F24802AE414B7240D778A989CF54

Uniqueness

Uniqueness Score: -1.00%

Function 007B9F38 Relevance: 1.6, APIs: 1, Instructions: 91
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64GetThreadContext.KERNEL32(?,?), ref: 007BBAD2

Memory Dump Source

Source File: 00000000.00000002.1261144534.00000000007B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ee3b26e8d87b2005bd07ba912b1724a8ef09e7040346f6d0c9cbb28963e07f8e
Instruction ID: d27e72a6107a207339c5281edaf23adb63ddb9e9703b828292f4d09e17790681
Opcode Fuzzy Hash: ee3b26e8d87b2005bd07ba912b1724a8ef09e7040346f6d0c9cbb28963e07f8e
Instruction Fuzzy Hash: A9319AB5D052589FCB10CFAAD984AEEFBF5FB49314F24802AE814B7250D378A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 007BAA28 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 007BAAA6

Memory Dump Source

Source File: 00000000.00000002.1261144534.00000000007B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b0000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0b4e51775d2f8d8dfcdae5ef6b853bd240c5ca05fabcf4fb34048bc7488973c8
Instruction ID: 7947ee316a8549d9fe672dd41aabdd4f80fa257c723fcd391fa89dcd55618284
Opcode Fuzzy Hash: 0b4e51775d2f8d8dfcdae5ef6b853bd240c5ca05fabcf4fb34048bc7488973c8
Instruction Fuzzy Hash: 9C31CBB4D00218AFCB24DFAAD580ADEFBB5AB49310F24802AE814B7200C775A845CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0071D5B8 Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1261043160.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28064e9c6760e6a5c9be0838babe99627adfe3047d2d518a6cf88dbeb286b41
Instruction ID: ad26e29974939fbb463eacd0e6b934c8ecc9c97df80340fe5f3136c9f13e2c16
Opcode Fuzzy Hash: f28064e9c6760e6a5c9be0838babe99627adfe3047d2d518a6cf88dbeb286b41
Instruction Fuzzy Hash: F32128B1504304DFDB25DF18D9C4B56BB65FB94354F24C569D8090B286C33ADC96CEA1

Uniqueness

Uniqueness Score: -1.00%

Function 0071D5B3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261043160.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction ID: 552cd39441edc27b9d4a5c057ea4b0fb4790728b3c87d6d59baf2ecaabdfe410
Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction Fuzzy Hash: D211B176504240CFCB16CF14D9C4B56BF72FB94314F24C6A9D8090B656C33AD896CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: proforma_Invoice_0009300_74885959969_9876.exePID: 7560, Parent PID: 7496COMMON

Executed Functions

Function 012298B8 Relevance: .8, Instructions: 844COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd80ccc02a9f3eb4f0f63fa60c38e13b98bba8e614a25bddb3d1ae310bf0f8e
Instruction ID: 67f7a0702a8b52d03aa221fb4e8970e709c886c4cd4cdc86f1d919d5d0c431ef
Opcode Fuzzy Hash: edd80ccc02a9f3eb4f0f63fa60c38e13b98bba8e614a25bddb3d1ae310bf0f8e
Instruction Fuzzy Hash: 0672B131A1022AEFCF15CF68C884AAEBBF2FF89304F158559E9059B761D771E891CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01226168 Relevance: .5, Instructions: 507COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536deaf23afa10062190b90a345a1e86684cd2454a2f8005db165476e7590848
Instruction ID: a851e79b9f8a4cd9c898849f4bfa1a9655c8ef7238f26dc5f7361e4988b4f807
Opcode Fuzzy Hash: 536deaf23afa10062190b90a345a1e86684cd2454a2f8005db165476e7590848
Instruction Fuzzy Hash: B812AC71A102199FDB14CF69D854BAEBBB6FF88300F248529E909EB391DB74DC41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01226790 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb62e8987e7913b7013f11a8c4c070e0424df07925b447ca04b57ee49f0fa0d5
Instruction ID: d2529a0e42afcef4e176281f41a5e61bd2b3b71a570a8b4bc7ff5345c610459c
Opcode Fuzzy Hash: fb62e8987e7913b7013f11a8c4c070e0424df07925b447ca04b57ee49f0fa0d5
Instruction Fuzzy Hash: 08026E72E10229EFDB14DF69C988AADBBB6FF88300F148469E905AB361D770DC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0122B388 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb4c3b85f273f8d0ecc79885f6118f921a568b50c4410d3158f961c79c4a01c
Instruction ID: 806af5ea6991e0f3c586d2c18ca356b4777e3a6a3dec0fc7e806973ce8c3b557
Opcode Fuzzy Hash: edb4c3b85f273f8d0ecc79885f6118f921a568b50c4410d3158f961c79c4a01c
Instruction Fuzzy Hash: E5E10975E10229DFDB14CFA9D894A9DBBB1FF49300F1580A9E919AB361DB30E841CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0122C1F0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 653981697de421955e7788af7629c0dc7ec3820a6c65ba486fe8966f7b9bdf54
Instruction ID: 745b6915071d7b401825fcf0aae1b090e7f5936d647158a43af62fa115b97c9d
Opcode Fuzzy Hash: 653981697de421955e7788af7629c0dc7ec3820a6c65ba486fe8966f7b9bdf54
Instruction Fuzzy Hash: E491C574E10218DFDB18DFA9D984A9DBBF2FF88300F148069E819AB365DB749941CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0122C4D0 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9433fdfe031a6a7dd291e10a464722f91e29208947de9233ce5aa563afc5c12
Instruction ID: d94d72afc690a0033587b797e880c0b29b2fc97c15d7975b04bba21fa6abf22f
Opcode Fuzzy Hash: c9433fdfe031a6a7dd291e10a464722f91e29208947de9233ce5aa563afc5c12
Instruction Fuzzy Hash: A381E5B4E10218DFDB18DFA9D984A9DBBF2FF88300F109069E819AB365DB705941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0122C7B2 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d990a6ac8ddcead77afb11c55d1be0ad3ea9f46f5847ea5eec57e23d3e6e2b
Instruction ID: ccac72811e837738b4a2ce432c8570d6741cf1e0ff4303bba7bc32e5f7de70ab
Opcode Fuzzy Hash: 78d990a6ac8ddcead77afb11c55d1be0ad3ea9f46f5847ea5eec57e23d3e6e2b
Instruction Fuzzy Hash: 4781C4B4E10218DFDB18DFA9D984BADBBF2BF88300F148069E809AB365DB745941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01224B31 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 562265b35c6009faf8ead4201c1825376edf0d2e5505eb0006d7cce8f8d7f2a5
Instruction ID: b6a7d8d55da7eafce4111cf17106584a3f950ae9753bee5f7fb971db3f7c57cc
Opcode Fuzzy Hash: 562265b35c6009faf8ead4201c1825376edf0d2e5505eb0006d7cce8f8d7f2a5
Instruction Fuzzy Hash: 9F81B274E10258DFDB18DFA9D984B9DBBF2BF88300F14806AE819AB365DB749941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0122CA92 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b7c9e1ec14db2c34b2f1b8c9272ba834d9cf1771cda22e730500f44af3e7b2
Instruction ID: 8b148cf2694804686c05e97695941e3e2b01e1d006b1d4ead017a46a3373fe1c
Opcode Fuzzy Hash: 64b7c9e1ec14db2c34b2f1b8c9272ba834d9cf1771cda22e730500f44af3e7b2
Instruction Fuzzy Hash: 3C8193B4E10218DFDB18DFA9D984A9DBBF2BF88300F14C069E819AB365DB749941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0122BF12 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217dcb834388346e1420afa55be1872cb543aacb33a8fb113acb7c1dd7c8dcab
Instruction ID: 0a8b53b63910f4f10e4773ce23e382c2e20d2d21ad5bb2ea982a67cc2bccf777
Opcode Fuzzy Hash: 217dcb834388346e1420afa55be1872cb543aacb33a8fb113acb7c1dd7c8dcab
Instruction Fuzzy Hash: 5281C474E10218DFEB14DFA9D984A9DBBF2BF89300F24C069E819AB365DB749941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0122B552 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855697ddcfbed377cdce51f1621e7ab3b89b618ac281dd7538f15c70d1de7e3e
Instruction ID: 232bea4257f77f5b7b365f088e2ea28cc919313d90287e4998e51d608069e773
Opcode Fuzzy Hash: 855697ddcfbed377cdce51f1621e7ab3b89b618ac281dd7538f15c70d1de7e3e
Instruction Fuzzy Hash: BA61E6B4E10219DFEB18DFAAD944A9DBBF2BF88300F14C029E919AB365DB745941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01227850 Relevance: .7, Instructions: 700COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e47990dd225cb37c446b0ca620fc405b46c24f659d23bf20851e37ead46496
Instruction ID: 6d5ff5c4ea01aa0049226e9fc0b1fc00514b7f58bceb7506d56341f08e7f5092
Opcode Fuzzy Hash: d8e47990dd225cb37c446b0ca620fc405b46c24f659d23bf20851e37ead46496
Instruction Fuzzy Hash: DB524174A00319CFEB15AFA4C860BAEBB72FF44340F1080A9C14A6B755DE759D85DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01228849 Relevance: .5, Instructions: 491COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dae05e45f8021a7330c22231f023e12534c64724a331f344ff92ed990f7b5fc
Instruction ID: 926cd86a8f20dea2404f01371943fe68c31640c8de735f3c076c3de3a914630e
Opcode Fuzzy Hash: 1dae05e45f8021a7330c22231f023e12534c64724a331f344ff92ed990f7b5fc
Instruction Fuzzy Hash: 81F1A270324231AFEB299A3DC955B3D3AD6AF95740F14446AE602CF3A2EF69CC41C741

Uniqueness

Uniqueness Score: -1.00%

Function 01226EB8 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e00b056c80b0b9e63f99619d89a43745c6ad9394e9310bd6c3f669d1d72e11
Instruction ID: 5f42059e9113127505e93f2394d5e5ef65468daa87f5f0f5c69ce9603d0680fd
Opcode Fuzzy Hash: c5e00b056c80b0b9e63f99619d89a43745c6ad9394e9310bd6c3f669d1d72e11
Instruction Fuzzy Hash: BB127A30A14229AFCB15CF68D884AAEBBF2FF59310F548599E949DB361CB30ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01220C8F Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557c4dc6959345984e8f65d0be9ec1088e3d2e524fa26e9950b97db1fedf1d3a
Instruction ID: 8466c6b93269a8d129352604120bb39846bbe2eca59e721ae6cb09b5397b0ecb
Opcode Fuzzy Hash: 557c4dc6959345984e8f65d0be9ec1088e3d2e524fa26e9950b97db1fedf1d3a
Instruction Fuzzy Hash: BF22D8B8A00219CFCB54EF64ED84A9DBBB2FF48304F1099A5D449AB758DB706E85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0122A878 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e887f206bb90261ef5e3099b2c5f63415f32e4f08e56a909d830047393e45b2
Instruction ID: ac0624a07b3b5e29fa572bc04fe6306b16275bc327d63282c97ed427df07c3fa
Opcode Fuzzy Hash: 0e887f206bb90261ef5e3099b2c5f63415f32e4f08e56a909d830047393e45b2
Instruction Fuzzy Hash: 75F17075A10225DFCB04CF6DC984AADBBF6FF88310B1A8499E519ABB61C735EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01220CA0 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f826b1d42aba3cff6a8d4c48ab4599e47edb3e288b0702cabfe40cecd20896cf
Instruction ID: bb3762a2b48324bb0961825fe4423329c118cb579bd2b6f0f8f2387892b8e250
Opcode Fuzzy Hash: f826b1d42aba3cff6a8d4c48ab4599e47edb3e288b0702cabfe40cecd20896cf
Instruction Fuzzy Hash: E322D8B8A00219CFCB54EF64ED84A9DBBB2FF48304F1099A5D449AB758DB706E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01225700 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b49c62e8ca58722dd69f9f483213df7a0dbf6813a60a701f0cefa4ccbc4f29
Instruction ID: ddcab309437480047159ce4e1d90960954080317ccbf55886e4718301244610d
Opcode Fuzzy Hash: 74b49c62e8ca58722dd69f9f483213df7a0dbf6813a60a701f0cefa4ccbc4f29
Instruction Fuzzy Hash: 5BB1D230714225AFDB159F38C854BBE7BA2BF89250F148969EA46CB391DB74CC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01225C60 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598a8f9d8cb22e329988adb8a57c7eee2a997da28a5c13767cd038430faba104
Instruction ID: 6e542976450b580553916f8593587876300ecd09985766c05e2f5296f75ec569
Opcode Fuzzy Hash: 598a8f9d8cb22e329988adb8a57c7eee2a997da28a5c13767cd038430faba104
Instruction Fuzzy Hash: 9C819334A20126AFDB14CF6DC488AEDBBB2FF89214B54C169D615EB361DB31EC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01227498 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5830013cd93321ee45a93dddc1d83eb38b2e82d7d166e758e25766c5e244fa5
Instruction ID: ac166826924158e92e6773dac70e80d88df4d04c3be082f67ceb3275b3f26581
Opcode Fuzzy Hash: e5830013cd93321ee45a93dddc1d83eb38b2e82d7d166e758e25766c5e244fa5
Instruction Fuzzy Hash: E2712930724656DFDB25DF2CC888ABD7BE6AF59240B1504A5EA05CB3B1DB70DC51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0122D3C2 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5688a50fa41ff8d3d142845553d92bbbb32b0337cfcf7d109ccd864d57cf6cf
Instruction ID: 9e35d6658aeccc348fa120dc8abd85c1b485c8cfc99e470c1de5f13df053110c
Opcode Fuzzy Hash: d5688a50fa41ff8d3d142845553d92bbbb32b0337cfcf7d109ccd864d57cf6cf
Instruction Fuzzy Hash: 1B51C0788A13478FD7503F31BAAC56E7BB0FB1FBA77416D06A15E9A089CB391464CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0122D3D0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 514259507c3dcd6d75c8522b3f1990606ef52c32bf34a928fa0acb325d856b33
Instruction ID: a5d7a98b7ec01142b131d34b6c3f01240a67f9170bfeb637c688646cdd3c376f
Opcode Fuzzy Hash: 514259507c3dcd6d75c8522b3f1990606ef52c32bf34a928fa0acb325d856b33
Instruction Fuzzy Hash: 7C51A1788A1347CFD7543F31BAAC56A7BB0FB0FBA77416D02A15E9A4899B351064CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0122CD70 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963387fcb8ac1c5c2c177155acf90b0b19c19d40b9ecd6b7757063096c31c6fe
Instruction ID: 259232c504f0eb9d0ac987b31db1682c1e64c3015236d871415bdc3ada465f21
Opcode Fuzzy Hash: 963387fcb8ac1c5c2c177155acf90b0b19c19d40b9ecd6b7757063096c31c6fe
Instruction Fuzzy Hash: E7518174E01218DFDB58DFA9D5949DDBBF2BF89300F24816AE819AB365DB31A901CF10

Uniqueness

Uniqueness Score: -1.00%

Function 01223960 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730ebb63b0d91535b0f2d0306e78841eeb37fef132c438de136935111263e1af
Instruction ID: 3731c5798a441a7923bbd77eb492b598e36611b63adca8d6d7fb9022b756232f
Opcode Fuzzy Hash: 730ebb63b0d91535b0f2d0306e78841eeb37fef132c438de136935111263e1af
Instruction Fuzzy Hash: AD51A378E01218DFCB48DFA9D59099DBBB2FF89304B209469E805AB324DB35A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01229AC3 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28db40af17dc78c7d792b1f2b16730db14d9ef46eff4d2486582ba8fa9a41a2
Instruction ID: eec42a273eb9e896cd1e267099597f72502b32caacfe983b5cdcf4fea1b3bce4
Opcode Fuzzy Hash: f28db40af17dc78c7d792b1f2b16730db14d9ef46eff4d2486582ba8fa9a41a2
Instruction Fuzzy Hash: A841E235A14269EFCF16CFA8C844ADEBFB2FF49318F048155E915AB2A1D371E990CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0122A6B0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8d1e8b61835da188f3ad6f4a106eb74fd68bcf7931160b9d07ccf97e624fd9
Instruction ID: 55eab91c703b21cb99531d118cf7f0a1b333638765ece91f86f3e0a6196f86e8
Opcode Fuzzy Hash: 6d8d1e8b61835da188f3ad6f4a106eb74fd68bcf7931160b9d07ccf97e624fd9
Instruction Fuzzy Hash: 8041E036B002149FCB19AF79D8546AE7BB3FBC8650F144569E60AE7791CE319C02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01223480 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0de8e7cbf932a3c4165a974f0e57b94205494d5d7af58df2fcd593ec7e6469
Instruction ID: 68ef6f5252bca97516a9c944c7ff5ef7be7afd806afc0d13f00085c4bbd930df
Opcode Fuzzy Hash: 1a0de8e7cbf932a3c4165a974f0e57b94205494d5d7af58df2fcd593ec7e6469
Instruction Fuzzy Hash: A1312975B24336ABEF2A8969585437E66E6FBCC250F144039DA0AD3341DFBCC844C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01224E20 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d31dd8e28c6ae1dc6fcba0236e4d94748436f456bc01851a9650963c771553f
Instruction ID: 0fd7c9bf2752c5a1872099963810484031747a22a327468ba50413f53e06d8b2
Opcode Fuzzy Hash: 7d31dd8e28c6ae1dc6fcba0236e4d94748436f456bc01851a9650963c771553f
Instruction Fuzzy Hash: FF31E33271425AAFCF05AF68D844AAF3FA6FF88244F104415FA198B240CF74CC21DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01227730 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6967ae3fbd3c3f2a06e12b5eaea1971336f69fb6855585a95db38cc5f06052
Instruction ID: 93a462db102090548b0748b01154b33832ecdfee971b8cb1a137b2d85291bf69
Opcode Fuzzy Hash: de6967ae3fbd3c3f2a06e12b5eaea1971336f69fb6855585a95db38cc5f06052
Instruction Fuzzy Hash: D7216D307282226BDB26073D88D5B7D3796AFE86447140039DA06CB352DDA5CC42E781

Uniqueness

Uniqueness Score: -1.00%

Function 01227740 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9fe464e83961bb7b494277db708e3a5ec012efce145fa86b5296ac9ae0a2c5
Instruction ID: 0ff7f5c1ffc04fca1f47dec636d4807878b857511479f9a62f36c4f691a5fa10
Opcode Fuzzy Hash: 7b9fe464e83961bb7b494277db708e3a5ec012efce145fa86b5296ac9ae0a2c5
Instruction Fuzzy Hash: A721D7317282226BEB26163D889477E3697AFD8758F144438DA06CF395DEA5CC42E782

Uniqueness

Uniqueness Score: -1.00%

Function 0122A869 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c281213e2880e232d3ae42c9c5457cf10b194ab830999bea71a4e9cde1b3e5
Instruction ID: d8e4e9ea173028f4d8d6104ee31f65e17a7e1d6fa03dbb5e7a46086497bf7dc4
Opcode Fuzzy Hash: f4c281213e2880e232d3ae42c9c5457cf10b194ab830999bea71a4e9cde1b3e5
Instruction Fuzzy Hash: D531C475F405159FCB04CF6DC8849AEBBB6FF84710B158155E655A77A1CB34DC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012220B8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c4800d0e78c299a4de3d695be5fe5d6154373d984bf33a9bdccd375e7de8397
Instruction ID: dca606ac443c0aa84e635566e6d7c9c08ebc1de13a7ec93c62e088fa48f29fdb
Opcode Fuzzy Hash: 6c4800d0e78c299a4de3d695be5fe5d6154373d984bf33a9bdccd375e7de8397
Instruction Fuzzy Hash: 6E21C179A10125AFCB15DB6CC4409AF3BA5FF89360B60C429E9098B381DB31EE45CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01225AB8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c966c8e6b23e29df990b8e748d5db805928774067eac35db326880912d979791
Instruction ID: d5c77e59f7f7602d8c408d352ee14efd318997b07503d1c6a74c540ad37cf226
Opcode Fuzzy Hash: c966c8e6b23e29df990b8e748d5db805928774067eac35db326880912d979791
Instruction Fuzzy Hash: 31212935710622AFC725AB69C89496EBB92FF89751B048479DA06CB358DF34DC02CFC0

Uniqueness

Uniqueness Score: -1.00%

Function 0122D619 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee633f81bec6bf93c77c003ac7404501cbe9a3e2a602fc05818748796d8adfa5
Instruction ID: 9c7ccf5926a83393f53812b3143d1912a1c39a81cc9f8ac5bf0d5efebe071164
Opcode Fuzzy Hash: ee633f81bec6bf93c77c003ac7404501cbe9a3e2a602fc05818748796d8adfa5
Instruction Fuzzy Hash: 2C214631C102189ECF11EFE8E8446ECFBB5FF5A300F009629D504B7254EB30AA4ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 012221B4 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9acc6453f9a187e942d511e5b2417119d1c4ccbdfa56d320614fe7d5d3842774
Instruction ID: 82f1dfe6c69eae9e403aff12738beee385929bd898846ff09a4760c207539e7e
Opcode Fuzzy Hash: 9acc6453f9a187e942d511e5b2417119d1c4ccbdfa56d320614fe7d5d3842774
Instruction Fuzzy Hash: D6117B36F5435DAFCB018BB85C105DEBB74FF8A310B2987A6D62577152E6312505C391

Uniqueness

Uniqueness Score: -1.00%

Function 0122D717 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849fa68c032c0103c1ab7eb710c51ad28249e98bb98ab65b9091665ebd107b76
Instruction ID: 9667d404519dbf5014e39ea52e2f7683f5d99c91a4ef289b02d93d6055aa8866
Opcode Fuzzy Hash: 849fa68c032c0103c1ab7eb710c51ad28249e98bb98ab65b9091665ebd107b76
Instruction Fuzzy Hash: 6A211878E022099FCB08DFB4D950AEEB7B2FB89304F10A529D405773A4DB3A9845CF25

Uniqueness

Uniqueness Score: -1.00%

Function 01223A45 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a895e4ca8fd854eb631e8b08f002232f98bcde9470b3b8893892dd6766a72e3d
Instruction ID: 098e5437f9623bbd14e3a56b8d787b56d9d83ab55367bbd8d76d984def270521
Opcode Fuzzy Hash: a895e4ca8fd854eb631e8b08f002232f98bcde9470b3b8893892dd6766a72e3d
Instruction Fuzzy Hash: 9D31A478E11308DFCB44DFA8E59499DBBB2FF49305B20946AE819AB324D731AD45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 01224E11 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cde759ee418b9495996442208f1a11e65954bb54a9bce29b376ade2d03bb62b
Instruction ID: e0fc52e34e6da58a6a85b1940159cf1c9783e456cf4d07a30fa17c6d26ec8b2a
Opcode Fuzzy Hash: 1cde759ee418b9495996442208f1a11e65954bb54a9bce29b376ade2d03bb62b
Instruction Fuzzy Hash: 0D212672B18156AFDB11BF68D4457AF3BA2FB89314F104069F6098B241CE78CC51CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0122D728 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc7b0bed0f19ffd937d39dedd0ea21dbbaaa5f883c8eef25d2c85528115037a8
Instruction ID: a3e2aecf60c4ae742559ff11bf43b1115f3b7065aa7f96898c1dddd59c9f0388
Opcode Fuzzy Hash: dc7b0bed0f19ffd937d39dedd0ea21dbbaaa5f883c8eef25d2c85528115037a8
Instruction Fuzzy Hash: 5C21E478A022098FCF08DFB4D950AEEB7B2FB89305F10A529C405773A4DB7A9845CF65

Uniqueness

Uniqueness Score: -1.00%

Function 01225AC8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed31ee2ad21b8d16bd07ed27284768df582a4f7407e13703c130c89e17d449e
Instruction ID: 4b7e694bf453d2470f09fb4375daa2e1417a03922e1afdccc646d8676dbd3c24
Opcode Fuzzy Hash: 7ed31ee2ad21b8d16bd07ed27284768df582a4f7407e13703c130c89e17d449e
Instruction Fuzzy Hash: 49110831710622AFD7199A2ED85897EBB96FF896A13148479EA0ACB354DF30DC01CFC0

Uniqueness

Uniqueness Score: -1.00%

Function 01221FB8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be168f014a174c2f8f8586ab57f92536c56d70df9761617da85b195731c47651
Instruction ID: 19b8fd570fc0ccf1fa06df4d134137703773bbca5bef6711d65c8906012352e4
Opcode Fuzzy Hash: be168f014a174c2f8f8586ab57f92536c56d70df9761617da85b195731c47651
Instruction Fuzzy Hash: 4621FCB4D0020E8FCB44EFA9D9859EEBBF0FB58300F10556AC909B3214EB341A95CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0122565F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c29a13ac2d141474189fca681ef80bde25d3cb458f887bbd70fc4d4376e785c
Instruction ID: 96ef5e62732c7d1d34f86bfe9365c398e4dfee0e93bc831fe38f41a043bc832b
Opcode Fuzzy Hash: 0c29a13ac2d141474189fca681ef80bde25d3cb458f887bbd70fc4d4376e785c
Instruction Fuzzy Hash: D601D872B001156FDB159E5998146FF7FA7DFC8651F14C06AFA08CB254DA71C812CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01222068 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f151f8e921ea595029de29daf16e5916a309bff4c46e7cc8c74c5cabed5ca64e
Instruction ID: e70a28d1c755f45db759abccf79f21e0c13583bcfbac504361d4808c7f37905a
Opcode Fuzzy Hash: f151f8e921ea595029de29daf16e5916a309bff4c46e7cc8c74c5cabed5ca64e
Instruction Fuzzy Hash: C9E0DF72D602654BCB029BB4E8654FEBF36AFE1320F81426AD05133181EA60194EC790

Uniqueness

Uniqueness Score: -1.00%

Function 01222078 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c50b6875b778d44a833a053a8519966a107e05c0c974472328e8f2cc3e5e40
Instruction ID: 7575c555999c5751dd42c298764ec0471084e92922679b7c8193e70e1e0ea7b7
Opcode Fuzzy Hash: f3c50b6875b778d44a833a053a8519966a107e05c0c974472328e8f2cc3e5e40
Instruction Fuzzy Hash: B8D01231D6022A978B01AAA5DC044DEBB39FE95721B914666D51437140EB70265986E1

Uniqueness

Uniqueness Score: -1.00%

Function 012282B8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 0c81967bad2f4c7707abe97cad2ddc3505a783e27d4877b50a56ac2babd1ea00
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 07C0127321C1383AA225608E7C41AABAA8CC2C62B4A210237FA1CA3202A8829C8001A4

Uniqueness

Uniqueness Score: -1.00%

Function 0122A76D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c1ce59e7d13b816081f11be98c4d7252260f16e83009b9e319c32749585f4e
Instruction ID: 533e87a5a6c8eb60884834348d23b3d9e49dce6480a020a16963e5a162272c82
Opcode Fuzzy Hash: 07c1ce59e7d13b816081f11be98c4d7252260f16e83009b9e319c32749585f4e
Instruction Fuzzy Hash: 61D0677BB510089FCB149F98EC409DDB7B6FB9C222B048516E915E3260C6319921DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0122CEFC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 847dbae58ddc57a8f93d724b735c056b8e2c787da8708d7b1383503e1bdec4e9
Instruction ID: 0b64ef7fc598730f0ece5bf35ab0d6b4f4537d4ffa01b392fb2c9586af2cfeb4
Opcode Fuzzy Hash: 847dbae58ddc57a8f93d724b735c056b8e2c787da8708d7b1383503e1bdec4e9
Instruction Fuzzy Hash: 5ED0E234E4000DCBCF20DFA8E8449ECBBB0EF48252F20542AD829A3211E6702861CF11

Uniqueness

Uniqueness Score: -1.00%

Function 01225F00 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c62301e551f38b8cec3c1b934a2603385d006f9a4a5323a78f4acb6fdc7b9d
Instruction ID: ee4f5f10d35b89b2c606693e92b7047519f5056366c97a52a09fe036c8d01ebe
Opcode Fuzzy Hash: 05c62301e551f38b8cec3c1b934a2603385d006f9a4a5323a78f4acb6fdc7b9d
Instruction Fuzzy Hash: 20D02BB09043434BC202F330EB025043725AA82108B8450C5A0450E819DEB448494B22

Uniqueness

Uniqueness Score: -1.00%

Function 01225F10 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1367092291.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_proforma_Invoice_0009300_74885959969_9876.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838fcac8a63d61f68f7255b130dad5081a2d9013ef5c154102433e9c101d4fcd
Instruction ID: 4a4b4f3de071ebf6c489b7344bc79f11658e81573739a93daa8e11e744ae70f8
Opcode Fuzzy Hash: 838fcac8a63d61f68f7255b130dad5081a2d9013ef5c154102433e9c101d4fcd
Instruction Fuzzy Hash: 87C0127091030B4BD501F771EE46A55332EB6C2544F809590A14A0B919DEB458894BA2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report proforma_Invoice_0009300_74885959969_9876.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\proforma_Invoice_0009300_74885959969_9876.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
proforma_Invoice_0009300_74885959969_9876.exe

Function 007BABD8 Relevance: 1.9, Strings: 1, Instructions: 615
COMMON

Function 007B9F2C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Function 007BA7B0 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Function 007B9F50 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Function 007BA908 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Function 007BA688 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Function 007B9F38 Relevance: 1.6, APIs: 1, Instructions: 91
threadCOMMON

Function 007BAA28 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Function 0071D5B8 Relevance: .1, Instructions: 75
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre