Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe
Analysis ID:1546666
MD5:5f1d27279bc750ee8ef05d061ab17c95
SHA1:7471f7bea4f8ca37005c44d9f374e8f288b1e2db
SHA256:6f473e658bf903d38db929a48806854a28b067620009cfee3c7ffd0f69baea5a
Tags:exe
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
AI detected suspicious sample
Machine Learning detection for dropped file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Costura Assembly Loader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe (PID: 2432 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe" MD5: 5F1D27279BC750EE8EF05D061AB17C95)
    • cmd.exe (PID: 4492 cmdline: "cmd.exe" /C update.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 3532 cmdline: TIMEOUT /T 2 MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • PING.EXE (PID: 6256 cmdline: ping 127.0.0.1 -n 2 MD5: 2F46799D79D22AC72C241EC0322B011D)
      • OrionAscension.exe (PID: 4864 cmdline: OrionAscension.exe MD5: DD3F49EA75ED5F9D9EFBBE6767279161)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\Desktop\OrionAscension_Updated.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000008.00000000.2245686403.000001C87CB22000.00000002.00000001.01000000.0000000D.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000000.00000000.2126084682.00000229FCCA2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000008.00000002.4581133061.000001C800001000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            00000000.00000002.2217024212.0000022980001000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe PID: 2432JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                8.0.OrionAscension.exe.1c87caa0000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  0.0.SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe.229fcca0000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeReversingLabs: Detection: 55%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 86.1% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\Desktop\OrionAscension_Updated.exeJoe Sandbox ML: detected
                    Source: Main.exe.8.drBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_ff63ea98-6
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe
                    Source: Binary string: E:\Client_Out\Main.pdb source: Main.exe.8.dr
                    Source: Binary string: C:\Grand Chase\Sources\Orion Launcher\EpicLauncher\EpicLauncher\obj\Release\launcher.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe
                    Source: Binary string: costura.costura.pdb.compressed source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe
                    Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|87BC942B699CB9F32EDBB7E73307135991585C5F|7960 source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe

                    Networking

                    barindex
                    Uses ping.exe to check the status of other devices and networks
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980340000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980237000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.orionascension.com.br
                    Source: Main.exe.8.drString found in binary or memory: http://chase.nate.netmarble.net/Event/2012/20120503_ICandoit/_Html/
                    Source: Main.exe.8.drString found in binary or memory: http://chase.nate.netmarble.net/Event/2012/20120503_ICandoit/_Html/explorer
                    Source: Main.exe.8.drString found in binary or memory: http://chase.netmarble.net/Event/2012/20120503_ICandoit/_Html/
                    Source: Main.exe.8.drString found in binary or memory: http://chase.netmarble.net/Event/2012/20120503_ICandoit/_Html/explorer
                    Source: Main.exe.8.drString found in binary or memory: http://chase.netmarble.net/news/notice/BbsContentView.asp?seq=8119021&searchstring=&searchstringopti
                    Source: Main.exe.8.drString found in binary or memory: http://chase.playnetwork.co.kr/Event/2012/20120503_ICandoit/_Html
                    Source: Main.exe.8.drString found in binary or memory: http://chase.playnetwork.co.kr/Event/2012/20120503_ICandoit/_Htmlstatic_mydpointstatic_itemdpointsta
                    Source: Main.exe.8.drString found in binary or memory: http://chase.tooniland.com/Event/2012/20120503_ICandoit/_Html
                    Source: Main.exe.8.drString found in binary or memory: http://chase.tooniland.com/Event/2012/20120503_ICandoit/_Htmlexplorer
                    Source: OrionAscension.exe, 00000008.00000002.4581133061.000001C8003F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/images/buttons/config/config_default.png
                    Source: OrionAscension.exe, 00000008.00000002.4581133061.000001C8003AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/images/buttons/config/config_hover.png
                    Source: OrionAscension.exe, 00000008.00000002.4581133061.000001C800523000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/images/buttons/fps/fps_hover.png
                    Source: OrionAscension.exe, 00000008.00000002.4581133061.000001C8002F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/images/buttons/lang/lang_hover.png
                    Source: OrionAscension.exe, 00000008.00000002.4581133061.000001C8003AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/images/buttons/config/config_hover.png
                    Source: OrionAscension.exe, 00000008.00000002.4581133061.000001C8003AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/images/buttons/config/config_hover.png
                    Source: Main.exe.8.drString found in binary or memory: http://nexon.co.jp
                    Source: Main.exe.8.drString found in binary or memory: http://nexon.co.jpnummedia%dwindowReplay
                    Source: Main.exe.8.drString found in binary or memory: http://relaxng.org/ns/structure/1.0
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980224000.00000004.00000800.00020000.00000000.sdmp, OrionAscension.exe, 00000008.00000002.4581133061.000001C800165000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980001000.00000004.00000800.00020000.00000000.sdmp, OrionAscension.exe, 00000008.00000002.4581133061.000001C800001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980237000.00000004.00000800.00020000.00000000.sdmp, OrionAscension.exe, 00000008.00000002.4581133061.000001C800165000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: Main.exe.8.drString found in binary or memory: http://www.ijg.org
                    Source: Main.exe.8.drString found in binary or memory: https://bugtrap.chaseorigin.com.br/RequestHandler.aspxDISPLAYEdgeTexture.dds./Data/Stage/PlayerTempl
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.000002298008A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980340000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980237000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980001000.00000004.00000800.00020000.00000000.sdmp, OrionAscension.exe, 00000008.00000002.4581133061.000001C800001000.00000004.00000800.00020000.00000000.sdmp, OrionAscension.exe, 00000008.00000002.4581133061.000001C8001F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.orionascension.com.br
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980340000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.orionascension.com.br/OrionAscension.exe
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980001000.00000004.00000800.00020000.00000000.sdmp, OrionAscension.exe, 00000008.00000002.4581133061.000001C800001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.orionascension.com.br/Update/
                    Source: OrionAscension.exe, 00000008.00000002.4581133061.000001C8002BA000.00000004.00000800.00020000.00000000.sdmp, OrionAscension.exe, 00000008.00000002.4581133061.000001C8001F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.orionascension.com.br/Update/Data
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.000002298008A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.orionascension.com.br/files.xml
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980237000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.orionascension.com.br/launcher.txt
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.orionascension.com.br/launcher.txtonPa
                    Source: OrionAscension.exe, 00000008.00000002.4581133061.000001C8001F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.orionascension.com.br/version.bin
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeString found in binary or memory: https://cdn.orionascension.com.brShttps://cdn.orionascension.com.br/Update/
                    Source: OrionAscension.exe, 00000008.00000002.4581133061.000001C800001000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeString found in binary or memory: https://github.com/XamlAnimatedGif/XamlAnimatedGif
                    Source: Main.exe.8.drString found in binary or memory: https://noticias.eternalsage.com.br
                    Source: Main.exe.8.drString found in binary or memory: https://noticias.eternalsage.com.brPb
                    Source: Main.exe.8.drString found in binary or memory: https://ssl.grandchase.com.tw/member/authentication.htmhttp://member.changyou.com/register/regPhoneS
                    Source: Main.exe.8.drBinary or memory string: DirectInput8Creatememstr_aba24745-7
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeCode function: 0_2_00007FFD3467EAF50_2_00007FFD3467EAF5
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeCode function: 0_2_00007FFD3467CBC30_2_00007FFD3467CBC3
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeCode function: 0_2_00007FFD34671AED0_2_00007FFD34671AED
                    Source: C:\Users\user\Desktop\OrionAscension.exeCode function: 8_2_00007FFD34670E268_2_00007FFD34670E26
                    Source: C:\Users\user\Desktop\OrionAscension.exeCode function: 8_2_00007FFD3466CBC38_2_00007FFD3466CBC3
                    Source: C:\Users\user\Desktop\OrionAscension.exeCode function: 8_2_00007FFD34661AED8_2_00007FFD34661AED
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.000002298033C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelauncher.exeP vs SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980352000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelauncher.exeP vs SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000000.2126178125.00000229FCDC0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelauncher.exeP vs SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeBinary or memory string: OriginalFilenamelauncher.exeP vs SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: OrionAscension_Updated.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: OrionAscension_Updated.exe.0.dr, Info.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: OrionAscension_Updated.exe.0.dr, Info.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, Info.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, Info.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal72.troj.evad.winEXE@10/13@0/2
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeFile created: C:\Users\user\Desktop\OrionAscension_Updated.exeJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2052:120:WilError_03
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C update.bat
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeReversingLabs: Detection: 55%
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeString found in binary or memory: *windows/launcher.baml6
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeString found in binary or memory: _d3d9.dllI/launcher;component/windows/app.xaml
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeString found in binary or memory: btncloseO/launcher;component/windows/config.xaml1launcher_worker_complete
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeString found in binary or memory: dlllangO/images/buttons/start/start_default.pngK/images/buttons/start/start_hover.pngS/images/buttons/config/config_default.pngO/images/buttons/config/config_hover.pngK/images/buttons/lang/lang_default.pngG/images/buttons/lang/lang_hover.pngG/images/buttons/fps/fps_default.pngC/images/buttons/fps/fps_hover.pngS/launcher;component/windows/launcher.xaml
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeString found in binary or memory: -O/launcher;component/windows/splash.xaml
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeString found in binary or memory: /launcher.txt
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C update.bat
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe TIMEOUT /T 2
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\OrionAscension.exe OrionAscension.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C update.batJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe TIMEOUT /T 2Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\OrionAscension.exe OrionAscension.exeJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: d3d9.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: d3d10warp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: dataexchange.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: dcomp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: dxcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: msctfui.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: uiautomationcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: d3dcompiler_47.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: d3d9.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: d3d10warp.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: dataexchange.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: dcomp.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: dxcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: msctfui.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: uiautomationcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: d3dcompiler_47.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: mscms.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: coloradapterclient.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: windowscodecsext.dllJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeSection loaded: icm32.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeStatic file information: File size 1325568 > 1048576
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x11cc00
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe
                    Source: Binary string: E:\Client_Out\Main.pdb source: Main.exe.8.dr
                    Source: Binary string: C:\Grand Chase\Sources\Orion Launcher\EpicLauncher\EpicLauncher\obj\Release\launcher.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe
                    Source: Binary string: costura.costura.pdb.compressed source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe
                    Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|87BC942B699CB9F32EDBB7E73307135991585C5F|7960 source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, AssemblyLoader.cs.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
                    Source: OrionAscension_Updated.exe.0.dr, AssemblyLoader.cs.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
                    Yara detected Costura Assembly Loader
                    Source: Yara matchFile source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, type: SAMPLE
                    Source: Yara matchFile source: 8.0.OrionAscension.exe.1c87caa0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe.229fcca0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000000.2245686403.000001C87CB22000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.2126084682.00000229FCCA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.4581133061.000001C800001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2217024212.0000022980001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe PID: 2432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: OrionAscension.exe PID: 4864, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\Desktop\OrionAscension_Updated.exe, type: DROPPED
                    Source: Main.exe.8.drStatic PE information: section name: _RDATA
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeCode function: 0_2_00007FFD3455D2A5 pushad ; iretd 0_2_00007FFD3455D2A6
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeCode function: 0_2_00007FFD34673137 push ebx; ret 0_2_00007FFD34673156
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeStatic PE information: section name: .text entropy: 7.898762116442602
                    Source: OrionAscension_Updated.exe.0.drStatic PE information: section name: .text entropy: 7.88584875510529
                    Source: C:\Users\user\Desktop\OrionAscension.exeFile created: C:\Users\user\Desktop\MailMIME.dllJump to dropped file
                    Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\OrionAscension.exe (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\OrionAscension.exeFile created: C:\Users\user\Desktop\Main.exeJump to dropped file
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeFile created: C:\Users\user\Desktop\OrionAscension_Updated.exeJump to dropped file
                    Source: C:\Users\user\Desktop\OrionAscension.exeFile created: C:\Users\user\Desktop\MailSMTP.dllJump to dropped file
                    Source: C:\Users\user\Desktop\OrionAscension.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Uses ping.exe to sleep
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeMemory allocated: 229FD110000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeMemory allocated: 229FEBC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeMemory allocated: 1C87CF00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeMemory allocated: 1C87E980000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 599305Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 599167Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 599059Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 598953Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 598843Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 598734Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 598625Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 598515Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 598406Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 598297Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 598187Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 598078Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597968Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597859Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597750Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597640Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597531Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597422Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597297Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597172Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597140Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597125Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597109Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597093Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597078Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597031Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596984Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596968Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596953Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596937Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596922Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596906Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596890Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596875Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596859Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596843Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596828Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596797Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596593Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596312Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 599306Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 599188Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 599031Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 598906Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 598797Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 598687Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 598578Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 598469Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 598359Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 598250Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 598141Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 598031Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 597922Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 597812Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 597703Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 597594Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 597484Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 597375Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 597265Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 597156Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 597047Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 596937Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 596827Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 596707Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 596578Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 596469Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 596359Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 596250Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 596140Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 596031Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 595922Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 595812Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 595703Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 595594Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 595484Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 595375Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 595266Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 595156Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 595047Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 594934Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 594828Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 594529Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 594244Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 593977Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeWindow / User API: threadDelayed 6562Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeWindow / User API: threadDelayed 3199Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeWindow / User API: threadDelayed 7414Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeWindow / User API: threadDelayed 2419Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeDropped PE file which has not been started: C:\Users\user\Desktop\MailMIME.dllJump to dropped file
                    Source: C:\Users\user\Desktop\OrionAscension.exeDropped PE file which has not been started: C:\Users\user\Desktop\Main.exeJump to dropped file
                    Source: C:\Users\user\Desktop\OrionAscension.exeDropped PE file which has not been started: C:\Users\user\Desktop\MailSMTP.dllJump to dropped file
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -599875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -599765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -599656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -599546s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -599437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -599305s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -599167s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -599059s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -598953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -598843s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -598734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -598625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -598515s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -598406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -598297s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -598187s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -598078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -597968s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -597859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -597750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -597640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -597531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -597422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -597297s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1804Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -597172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -597140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -597125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -597109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -597093s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -597078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -597031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -597000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -596984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -596968s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -596953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -596937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -596922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -596906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -596890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -596875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -596859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -596843s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -596828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -596797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -596593s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe TID: 1948Thread sleep time: -596312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -599875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -599766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -599656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -599547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -599437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -599306s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -599188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -599031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -598906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -598797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -598687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -598578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -598469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -598359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -598250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -598141s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -598031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -597922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -597812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -597703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -597594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -597484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -597375s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -597265s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -597156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -597047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -596937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -596827s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -596707s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -596578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -596469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -596359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -596250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -596140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -596031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -595922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -595812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -595703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -595594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -595484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -595375s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -595266s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -595156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -595047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -594934s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -594828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -594529s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -594244s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exe TID: 5012Thread sleep time: -593977s >= -30000sJump to behavior
                    Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 599305Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 599167Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 599059Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 598953Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 598843Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 598734Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 598625Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 598515Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 598406Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 598297Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 598187Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 598078Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597968Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597859Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597750Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597640Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597531Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597422Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597297Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597172Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597140Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597125Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597109Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597093Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597078Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597031Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 597000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596984Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596968Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596953Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596937Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596922Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596906Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596890Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596875Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596859Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596843Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596828Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596797Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596593Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeThread delayed: delay time: 596312Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 599306Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 599188Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 599031Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 598906Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 598797Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 598687Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 598578Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 598469Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 598359Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 598250Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 598141Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 598031Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 597922Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 597812Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 597703Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 597594Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 597484Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 597375Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 597265Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 597156Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 597047Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 596937Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 596827Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 596707Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 596578Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 596469Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 596359Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 596250Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 596140Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 596031Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 595922Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 595812Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 595703Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 595594Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 595484Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 595375Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 595266Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 595156Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 595047Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 594934Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 594828Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 594529Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 594244Jump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeThread delayed: delay time: 593977Jump to behavior
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2221489603.00000229FF280000.00000004.00000020.00020000.00000000.sdmp, OrionAscension.exe, 00000008.00000002.4597886898.000001C87F13A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C update.batJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe TIMEOUT /T 2Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\OrionAscension.exe OrionAscension.exeJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Users\user\Desktop\OrionAscension.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OrionAscension.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting                    		Valid Accounts2
                    Command and Scripting Interpreter                    		1
                    Scripting                    		11
                    Process Injection                    		1
                    Masquerading                    		1
                    Input Capture                    		1
                    Query Registry                    		Remote Services1
                    Input Capture                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		LSASS Memory1
                    Security Software Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		Junk DataExfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDS31
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                    Software Packing                    		Cached Domain Credentials1
                    Remote System Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem12
                    System Information Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe55%ReversingLabsByteCode-MSIL.Trojan.Zilla

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\Desktop\OrionAscension_Updated.exe100%Joe Sandbox ML
                    C:\Users\user\Desktop\MailMIME.dll0%ReversingLabs
                    C:\Users\user\Desktop\MailSMTP.dll0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://foo/images/buttons/config/config_hover.pngOrionAscension.exe, 00000008.00000002.4581133061.000001C8003AB000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://schemas.xmlsoap.org/soap/encoding/SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980224000.00000004.00000800.00020000.00000000.sdmp, OrionAscension.exe, 00000008.00000002.4581133061.000001C800165000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://cdn.orionascension.com.brSecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.000002298008A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980340000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980237000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980001000.00000004.00000800.00020000.00000000.sdmp, OrionAscension.exe, 00000008.00000002.4581133061.000001C800001000.00000004.00000800.00020000.00000000.sdmp, OrionAscension.exe, 00000008.00000002.4581133061.000001C8001F2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://defaultcontainer/images/buttons/fps/fps_hover.pngOrionAscension.exe, 00000008.00000002.4581133061.000001C800523000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://nexon.co.jpMain.exe.8.drfalse
                            		unknown
                            http://foo/bar/images/buttons/config/config_hover.pngOrionAscension.exe, 00000008.00000002.4581133061.000001C8003AB000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://ssl.grandchase.com.tw/member/authentication.htmhttp://member.changyou.com/register/regPhoneSMain.exe.8.drfalse
                                		unknown
                                http://defaultcontainer/images/buttons/lang/lang_hover.pngOrionAscension.exe, 00000008.00000002.4581133061.000001C8002F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://cdn.orionascension.com.br/files.xmlSecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.000002298008A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://defaultcontainer/images/buttons/config/config_default.pngOrionAscension.exe, 00000008.00000002.4581133061.000001C8003F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://bugtrap.chaseorigin.com.br/RequestHandler.aspxDISPLAYEdgeTexture.dds./Data/Stage/PlayerTemplMain.exe.8.drfalse
                                        		unknown
                                        http://cdn.orionascension.com.brSecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980340000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980237000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://cdn.orionascension.com.brShttps://cdn.orionascension.com.br/Update/SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exefalse
                                            		unknown
                                            https://noticias.eternalsage.com.brMain.exe.8.drfalse
                                              		unknown
                                              https://cdn.orionascension.com.br/Update/DataOrionAscension.exe, 00000008.00000002.4581133061.000001C8002BA000.00000004.00000800.00020000.00000000.sdmp, OrionAscension.exe, 00000008.00000002.4581133061.000001C8001F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://cdn.orionascension.com.br/version.binOrionAscension.exe, 00000008.00000002.4581133061.000001C8001F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://chase.netmarble.net/Event/2012/20120503_ICandoit/_Html/Main.exe.8.drfalse
                                                    		unknown
                                                    http://chase.playnetwork.co.kr/Event/2012/20120503_ICandoit/_HtmlMain.exe.8.drfalse
                                                      		unknown
                                                      https://cdn.orionascension.com.br/Update/SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980001000.00000004.00000800.00020000.00000000.sdmp, OrionAscension.exe, 00000008.00000002.4581133061.000001C800001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://noticias.eternalsage.com.brPbMain.exe.8.drfalse
                                                          		unknown
                                                          http://schemas.xmlsoap.org/wsdl/SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980237000.00000004.00000800.00020000.00000000.sdmp, OrionAscension.exe, 00000008.00000002.4581133061.000001C800165000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://nexon.co.jpnummedia%dwindowReplayMain.exe.8.drfalse
                                                            		unknown
                                                            https://cdn.orionascension.com.br/launcher.txtSecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980237000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://defaultcontainer/images/buttons/config/config_hover.pngOrionAscension.exe, 00000008.00000002.4581133061.000001C8003AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://relaxng.org/ns/structure/1.0Main.exe.8.drfalse
                                                                  		unknown
                                                                  https://cdn.orionascension.com.br/OrionAscension.exeSecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980340000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://cdn.orionascension.com.br/launcher.txtonPaSecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, 00000000.00000002.2217024212.0000022980001000.00000004.00000800.00020000.00000000.sdmp, OrionAscension.exe, 00000008.00000002.4581133061.000001C800001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://chase.netmarble.net/news/notice/BbsContentView.asp?seq=8119021&searchstring=&searchstringoptiMain.exe.8.drfalse
                                                                        		unknown
                                                                        http://chase.playnetwork.co.kr/Event/2012/20120503_ICandoit/_Htmlstatic_mydpointstatic_itemdpointstaMain.exe.8.drfalse
                                                                          		unknown
                                                                          http://www.ijg.orgMain.exe.8.drfalse
                                                                            		unknown
                                                                            http://chase.tooniland.com/Event/2012/20120503_ICandoit/_HtmlMain.exe.8.drfalse
                                                                              		unknown
                                                                              https://github.com/XamlAnimatedGif/XamlAnimatedGifOrionAscension.exe, 00000008.00000002.4581133061.000001C800001000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exefalse
                                                                                		unknown
                                                                                http://chase.nate.netmarble.net/Event/2012/20120503_ICandoit/_Html/Main.exe.8.drfalse
                                                                                  		unknown

                                                                                  World Map of Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public IPs

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  138.255.160.46
                                                                                  		unknownBrazil
                                                                                  		263975SmartLinkConsultoriaeservicosemtelecLTDABRfalse

                                                                                  Private

                                                                                  IP
                                                                                  127.0.0.1

                                                                                  General Information

                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                  Analysis ID:1546666
                                                                                  Start date and time:2024-11-01 12:26:04 +01:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 7m 50s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                  Number of analysed new started processes analysed:14
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:0
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe
                                                                                  Detection:MAL
                                                                                  Classification:mal72.troj.evad.winEXE@10/13@0/2
                                                                                  EGA Information:Failed
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 98%
                                                                                  • Number of executed functions: 121
                                                                                  • Number of non-executed functions: 2
                                                                                  Cookbook Comments:
                                                                                  • Found application associated with file extension: .exe
                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                  Warnings

                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                  • Execution Graph export aborted for target OrionAscension.exe, PID 4864 because it is empty
                                                                                  • Execution Graph export aborted for target SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe, PID 2432 because it is empty
                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                  • Skipping network analysis since amount of network traffic is too extensive
                                                                                  • VT rate limit hit for: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  07:26:59API Interceptor87x Sleep call for process: SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe modified
                                                                                  07:27:10API Interceptor13995711x Sleep call for process: OrionAscension.exe modified

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  No context

                                                                                  Domains

                                                                                  No context

                                                                                  ASNs

                                                                                  No context

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe.log

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe
                                                                                  File Type:CSV text
                                                                                  Category:dropped
                                                                                  Size (bytes):2114
                                                                                  Entropy (8bit):5.347100774327902
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:MxHKQwYHKGSI6ouHlJH/lEHuFKHKSqtHTHhAHKKkoHkRHxWH3:iqbYqGSI6ou/fmOYqSqtzHeqKko0RWX
                                                                                  MD5:27A2DE52EC46EAC65BC6E1961F080673
                                                                                  SHA1:E2A9F095526B084C37E127AE959BB02F8E3B41AF
                                                                                  SHA-256:4637A9AC7367EE957DB27797D2C9E0D7D757C274412E9772F5877E22FA27131D
                                                                                  SHA-512:BD8A751C573F134420A9D11C23DAF352CF96CA7A73749A1809179FD95DC7AD27DAFE6C6FE9CA32D6E293F990099C94FEA063BE43C9742B7C6516D682B162830D
                                                                                  Malicious:true
                                                                                  Reputation:low
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\WindowsBase\95a5c1baa004b986366d34856f0a5a75\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ef4e808cb158d79ab9a2b049f8fab733\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\

                                                                                  C:\Users\user\Desktop\Data\Music\Furia_Screen.mp3

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\OrionAscension.exe
                                                                                  File Type:Audio file with ID3 version 2.4.0, contains: MPEG ADTS, layer III, v1, 64 kbps, 48 kHz, Stereo
                                                                                  Category:dropped
                                                                                  Size (bytes):2201924
                                                                                  Entropy (8bit):7.976114365929674
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:NoBXKiOcRgfaL6oRfspz1ubBdpClVAiBlaOXSUh:mB7xR9L6oE0IXvtF
                                                                                  MD5:DC0E5A120AAB43E4CA173666974BE962
                                                                                  SHA1:DCCE2BC4E7D1C313C02451E344F6149D068B9D49
                                                                                  SHA-256:7BC578458A08BE32D349210C628B36636A1783DB623410748A9E1C273E7A9F86
                                                                                  SHA-512:DC85733B57D9B10A0C4679D0C9F5B4645A3462E31890F95E9289F6301ED59BE7C17F4139CF0F7BE1B89BCD047B07B5D908681A2CBE3B6093FAA373D51DA3D10F
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:ID3......"TSSE.......Lavf61.6.100.............T.................................Xing.........!.............. #%(*-/2479<>ACFHKNQSVX[]`begjloqtvy{~......................................................Lavc61.17............$.......!...ii....D...................=....K#.8....U.pE.`....@....Z.......{\.+.........S..4..O.)..@q...O.&....NP....@.:...?|.<.H#.@..0.........#...ds..R.Ufo..<... ..!.....2.....y.......OC..........4.......*...Jk<J.,m....H...0.\.`B.q.'.07...b.....hA`...#............W\.b%.g6.d..P...4./.yL..:..X.`......;.Q.H>.........JS7{...Yc..u.XWr...~.....OO...\.....^.L.M..K........{.....;1?{....y.s..._........a...P........KC.C.m..H...E...;.......M*.(t2.. y...Q..e...-...i..Y,.........e...]'..B.._../...H.D....Qx..wY..jL.D.v7^A(l..;.8P.....l.;.pL..g...'q....\....Z.r.<.w..t.h.Oo.Kk.j.H..nvS5k......o.Q,]g..@........@0.CE...%Z.w+./.x.....i.*vqAJ.......I...^..+9...e....D...[.ns............U...!...........~|...{L i...!.p......AQ*.B.zn..Z...T5.&.......S.&.

                                                                                  C:\Users\user\Desktop\Data\Music\LI_Event_IllusionOfMemory.mp3

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\OrionAscension.exe
                                                                                  File Type:Audio file with ID3 version 2.3.0, contains: MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, JntStereo
                                                                                  Category:dropped
                                                                                  Size (bytes):3097508
                                                                                  Entropy (8bit):7.970754285717125
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:Ss7dhjvpamugZJqwYLnGk3b/ez1i5bpuVggMknCSQAuhaWKgXyEoV+rf:dJkG+VpuVgb4QbQglf
                                                                                  MD5:E05DEF5048150903681B698F2E6CDC39
                                                                                  SHA1:62371391EBCB90AD2B296F5E7312747DA82344CA
                                                                                  SHA-256:1271A218A0E223DE80404D3A4922887831D3833105D003B425FDD33EEA26D790
                                                                                  SHA-512:0B7A87CC3359501CB15B35D3F34C56C82CD40E375E98E51CC30B8BF51330BB872806BDE06399F3FBAFDA78BE572BACA00C99D7220441ADFFE6909F126CDA5466
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:ID3.......COMM...........UnknownCOMM.......XXX.UnknownTIT2.......It Hurts - Out of Flux RemakeTXXX.......Software.Lavf58.76.100TYER.......2024TDRC.......2024TALB.......It Hurts - Out of Flux RemakeTPE1.......Out of FluxTXXX...+...Copyright.Licensed for video by Artlist.ioTCON.......Unknown...d................................Xing.......c./B...............!$&),.1379<?ADFJLOQSVX[]_bdgjmoruwz}.....................................................<LAME3.100..........5 $.UM..../B.Zf.j....................................................................................................................................................................................................................................d........................ ..?....LAME3.100UUUUUUUUUUUUUUUUUUUUUUUULAME3.100UUUUUUUUUUUUUUUUUUUUUUUUUU...d"....................... ..?....UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.100UUUUUUUUUUUUUUUUUUUUUUUUUU...dD....................... ..?....UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.100UUUUUUU

                                                                                  C:\Users\user\Desktop\Data\ResSet\Custom_Room1.orion

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\OrionAscension.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):86968215
                                                                                  Entropy (8bit):7.999715554979607
                                                                                  Encrypted:true
                                                                                  SSDEEP:1572864:N/qqqqqqqqqqqqqqqqqqqqqqbReK5DHIUgvnHdvAAdtsdWC6G9Y7+:N/qqqqqqqqqqqqqqqqqqqqqqQM5gvn1O
                                                                                  MD5:44CD69BA766898D902F62DB0A6859C2E
                                                                                  SHA1:1F031F128B96DECB5A6A3C49616DB3E75059C6CC
                                                                                  SHA-256:F717A4E9828E31C15DE3AE457700C36E2A3645D85F59120FDA03288766A098C1
                                                                                  SHA-512:5A0066301693D0E98741B55B94B41AE7C31B5DC72BB48A71F7819884A4F30300B2B8BE5B852392F33D306AF11E64332997E16411BB7DA3C70097C89AD04B2D73
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:.......g...i..^;b..>L..A.Qc....}PM..M..dN.?....6._.@:S.SC..G......$..!.Get-.B.}..%6q.Ti......bSV......e..hR..\?R.U.<.G.......~..8..mu.R..).($p.]l.....`QM....z\./....6....._...-.K......yD.8..{uc.S.-..,6`..1....kpM.M..yF.0....?.G.....U.w.........xc.u.T# n.R.$..:4...3...-....N..#.. s...gDO......Sv........x..).P4&j.B.{..jq3..8.....:....R.."..kN..x....L...Ao.C......-..(.Y1 |.#.s..q`(.P~......IJH..>./C.c_..cR..ER^.EAo.C......+..8..l`,^..q..qn%.Om....LKA...w\.0[...;...:.V.b.".......-..Y..nb7O..).:4o.Q.......bF.....{G.1....>.../.@..A~.......mE.k..eC7A..6., b..4......2.B..D..sG. {.....A.A^...S.........tC.u.K12~.\.R..}4...9.....>....A..... n...gD..EI...C..G........tM.%.Z5"g.@.W..{.3..a.....9G...6./*.mX...jV..LL..."#.E......?..&./h|;.,.y..:w"..m....kGW..#./C.1....nD....J.S.<.N....(..:.*iu=P..y.,%t.Ti......cFp....zN.0..xFm...H.B."........qR.V..d-|X..u..,%p.C8......uF...C..|J. ~...(._...i.L.r........xT.k..<2h...p.. 6`..0.....-....@

                                                                                  C:\Users\user\Desktop\MailMIME.dll

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\OrionAscension.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):28672
                                                                                  Entropy (8bit):2.736255340811338
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:VuKvlfFQ5o/g16Z2Mf1rfG44K1/KW7IywrwF70jBzS:AKvNF0zLMfl/DEW7IywrwF70I
                                                                                  MD5:457C48B5F51ED83BC650DAED53D0AA74
                                                                                  SHA1:CFF774D33B0F1F043D45080AFC7FFDCB12999114
                                                                                  SHA-256:0E530BB82710D259A2FC519335EA068A8984EAABBCC4D0A1DA4800981AEBFC8C
                                                                                  SHA-512:CBC213307EA5C949CC495DECAC5081EBE3885A988713FE395D11C4FA49A925595E5E4F4DA8A28BA978D85CA4C6877FBB499FAEC7F4A04A03198D7DD3090FE130
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Reputation:low
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........p.F....................&.......M...............M...............M.......Rich....................PE..L......;...........!..... ...P.......".......0.......................................................................6.......3..P....`..P....................p..4....................................................0..H............................text...&........ .................. ..`.rdata.......0.......0..............@..@.data........@.......@..............@....rsrc...P....`.......P..............@..@.reloc..x....p.......`..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\Desktop\MailSMTP.dll

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\OrionAscension.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):217088
                                                                                  Entropy (8bit):6.251774210891412
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:H8twgjkgm/MOGTk1/NI/DToMCrLzD0BOgRPPtTnvtQjMbSW:W/m/OTk1/q7TojLzEOaPPlKjL
                                                                                  MD5:CA1A8FBEC54DE29B6BCB743027CAAC99
                                                                                  SHA1:A07C12C581A6D40D479DCF9CECEC71F055E416C8
                                                                                  SHA-256:D2B2BBCD00AF680DBBDA7CC6F35D5275A599E4915498A13B9DAA0734142D030D
                                                                                  SHA-512:8CBE79101AF2FBE914ECCD1FBCC9689759816BBCE8EE6F98F1233585443F8DA9356A280A42359267AF658C20317EF34CDE3617B6C317106E0244BBA470B37292
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.....b...b...b...=...b...?...b...c..b.%x....b.%x..b.%x..x.b.%x....b.%x....b.%x....b.Rich..b.........PE..L.....xQ...........!.........0............... ..............................................................................L............2...................P..."..................................`Z..@............ .........@....................text............................... ..`.rdata..F.... ....... ..............@..@.data... a....... ..................@....rsrc....2.......@..................@..@.reloc...K...P...P..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\Desktop\Main.exe

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\OrionAscension.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):20092416
                                                                                  Entropy (8bit):6.6341367649787495
                                                                                  Encrypted:false
                                                                                  SSDEEP:196608:Nac3O+EYdlNG5F4ljS6a+SUJFXU0Q2f7v6hSFev4QDA8DRxXC5OAKmcIYtEf5aad:DOL5F4JS6/md242S1ssgGc+98DbRZt0
                                                                                  MD5:BE2F30425E17DAB4F417D8071557F84A
                                                                                  SHA1:0863CE0B2443771906598E4C7E84907C2AE68AE9
                                                                                  SHA-256:AE5BC1B01EDA6D1610B41F27901A694C93082E6C76DA31236EE9719FFD6A6F80
                                                                                  SHA-512:F6069BCE1D25A132BAB6DFD6A04A62E71D9139D282414371E1D5485FE055681E2AE6EBDE7E48CE8B90EA23395042E6BC16422D8511AAA49BD8FDBF576CD23529
                                                                                  Malicious:true
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&|..b...b...b......T.............P....C..j.....6.q...g...`.....?.e....C..`....C..)...E..f.......`....C..g....C..@....C..`...T;..g.....!.g.....>.c....Om.`.....:.I...b...H...q................C..B....C.......C..E....C..c....C.._....C..c....C..c...b.f.c....C..c...Richb...........................PE..L....r.g.................<....o..............P....@..........................pL...........@... ... .....................W..l........ /..i....................?.....@...T...............................@............P...............................text...~;.......<.................. ..`.rdata....2..P....2..@..............@..@.data........@.......$..............@....gfids...............8..............@..@.tls........../......H..............@..._RDATA..0...../......J..............@..@.rsrc....i... /..j...T..............@..@.reloc........?.......%.............@..B........

                                                                                  C:\Users\user\Desktop\OrionAscension.exe (copy)

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\cmd.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1230848
                                                                                  Entropy (8bit):7.8034239054987244
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:P1f4T1xIwB0BJgvIO1i/q5g0ikqjVnlqud+/2P+AvFwGyFoBkkA9O1i0q5gsg:P67ZKJg14yfikqXfd+/9AN8an547z
                                                                                  MD5:DD3F49EA75ED5F9D9EFBBE6767279161
                                                                                  SHA1:39775C10035CA9930232FBC5090E43CA4FC995D6
                                                                                  SHA-256:2DCF4196EF3A822362225C130E647E7C13D83A91CB116F4F563E670D574521B1
                                                                                  SHA-512:56B21F1C0C9545B3E6C87868B24C3E8F8EF5A8C3B2A53874F545975A032896F95D6BE94102AD7D8D797FE89DAA92F1B5995B880D75F2B00E4C119BA11B741224
                                                                                  Malicious:true
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........."...0..Z...l......Nx... ........@.. ....................... ............`..................................w..Z........h..........................dw............................................... ............... ..H............text...TX... ...Z.................. ..`.rsrc....h.......j...\..............@..@.reloc..............................@..B................0x......H...........Xj...........Q..|.............................................(....*.0..u........~.....o....}.....{....-.r...pr9..p(....&.(....*~....o....-.rS..pr...p(....&.(....*r...p(....,.r...pr...p(....sC...&*....0..6........{....,.*..}............s....(....r...p.s.......(....*Js....%o....o....&*..(....*.s.........*..{....*"..}....*..(.....(......(......(.....(....*.0...........:.....{.....(....r7..po ...o.....{.....(....rU..po ...o.....{.....o.....{....#........o.....{.....o

                                                                                  C:\Users\user\Desktop\OrionAscension_Updated.exe

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1230848
                                                                                  Entropy (8bit):7.8034239054987244
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:P1f4T1xIwB0BJgvIO1i/q5g0ikqjVnlqud+/2P+AvFwGyFoBkkA9O1i0q5gsg:P67ZKJg14yfikqXfd+/9AN8an547z
                                                                                  MD5:DD3F49EA75ED5F9D9EFBBE6767279161
                                                                                  SHA1:39775C10035CA9930232FBC5090E43CA4FC995D6
                                                                                  SHA-256:2DCF4196EF3A822362225C130E647E7C13D83A91CB116F4F563E670D574521B1
                                                                                  SHA-512:56B21F1C0C9545B3E6C87868B24C3E8F8EF5A8C3B2A53874F545975A032896F95D6BE94102AD7D8D797FE89DAA92F1B5995B880D75F2B00E4C119BA11B741224
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\Desktop\OrionAscension_Updated.exe, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........."...0..Z...l......Nx... ........@.. ....................... ............`..................................w..Z........h..........................dw............................................... ............... ..H............text...TX... ...Z.................. ..`.rsrc....h.......j...\..............@..@.reloc..............................@..B................0x......H...........Xj...........Q..|.............................................(....*.0..u........~.....o....}.....{....-.r...pr9..p(....&.(....*~....o....-.rS..pr...p(....&.(....*r...p(....,.r...pr...p(....sC...&*....0..6........{....,.*..}............s....(....r...p.s.......(....*Js....%o....o....&*..(....*.s.........*..{....*"..}....*..(.....(......(......(.....(....*.0...........:.....{.....(....r7..po ...o.....{.....(....rU..po ...o.....{.....o.....{....#........o.....{.....o

                                                                                  C:\Users\user\Desktop\update.bat

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe
                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):194
                                                                                  Entropy (8bit):5.002468903069453
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:/kJIEcJ3/06x3/Wk3/0eXSLpnWV+0Q3/0QEcuB46:/8BcJMmrMIS9WY3MZcO46
                                                                                  MD5:614889DAF3AC11F571FE6180F36191C7
                                                                                  SHA1:89F0F88360187BC140A4C8A518F0CBE56BEC99F4
                                                                                  SHA-256:8DD34B57D9B39909F9224E44DD1CE9D73FFD9EB6CAF869D181208B967E6D8ED1
                                                                                  SHA-512:DEDD5477CA49757E8E5C14DE760B0AF59F08C6EF50861804C6C3218AB308CA9DB7454C880BF23D078FA164537CA30020DD5A468C5DB695790FD1368C0B222887
                                                                                  Malicious:false
                                                                                  Preview:@ECHO OFF..>NUL TIMEOUT /T 2..2>NUL DEL /f OrionAscension.exe..@MOVE OrionAscension_updated.exe OrionAscension.exe..ping 127.0.0.1 -n 2 > nul..start OrionAscension.exe..2>NUL DEL /f update.bat..

                                                                                  \Device\Null

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\PING.EXE
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):331
                                                                                  Entropy (8bit):4.92149009030101
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:PzLSLzMRfmWxHLThx2LThx0sW26VY7FwAFeMmvVOIHJFxMVlmJHaVFEG1vv:PKMRJpTeT0sBSAFSkIrxMVlmJHaVzvv
                                                                                  MD5:2E512EE24AAB186D09E9A1F9B72A0569
                                                                                  SHA1:C5BA2E0C0338FFEE13ED1FB6DA0CC9C000824B0B
                                                                                  SHA-256:DB41050CA723A06D95B73FFBE40B32DE941F5EE474F129B2B33E91C67B72674F
                                                                                  SHA-512:6B4487A088155E34FE5C642E1C3D46F63CB2DDD9E4092809CE6F3BEEFDEF0D1F8AA67F8E733EDE70B07F467ED5BB6F07104EEA4C1E7AC7E1A502A772F56F7DE9
                                                                                  Malicious:false
                                                                                  Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Entropy (8bit):7.823147954225745
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                  File name:SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe
                                                                                  File size:1'325'568 bytes
                                                                                  MD5:5f1d27279bc750ee8ef05d061ab17c95
                                                                                  SHA1:7471f7bea4f8ca37005c44d9f374e8f288b1e2db
                                                                                  SHA256:6f473e658bf903d38db929a48806854a28b067620009cfee3c7ffd0f69baea5a
                                                                                  SHA512:28d34cdb38dd21023023dbf44008f9806d616bf8954fe48e05ccef4682b0dca143142c7050f4c02103722a4e84e305228538c783967ac14a5cd4057f15f96829
                                                                                  SSDEEP:24576:e1f4T1xIwB0BJgvIO1i/q5g01z5jkqjVnlqud+/2P+AvFwGyFoBkkA7dO1iTq5gw:e67ZKJg14yf1FkqXfd+/9AN8anoo4mo
                                                                                  TLSH:5D5502C2F4445AE8F97A4635617E1D5207333E6B9680A94C78CCB81627F33A39637E4B
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........."...0......l........... ........@.. ....................................`................................

                                                                                  File Icon

                                                                                  Icon Hash:d831b93371683934

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x51ea0e
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x671DE0B5 [Sun Oct 27 06:41:57 2024 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  jmp dword ptr [00402000h]
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x11e9bd0x4e.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1200000x26818.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1480000xc.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x11e9300x1c.text
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x20000x11ca140x11cc00355bc7442dbdfde73e42276c03e6dbb6False0.9083548822980685data7.898762116442602IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x1200000x268180x26a00043c259cc1e582fc4b84d320cc3db6a3False0.7989292576860841data6.906067246184712IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x1480000xc0x200f3bd555d6aab74639eec80c15fbeb9beFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_ICON0x1201a00xce15PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9936311769054343
                                                                                  RT_ICON0x12cfc80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.702975275050278
                                                                                  RT_ICON0x13d8000x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.740375531412376
                                                                                  RT_ICON0x141a380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.7403526970954357
                                                                                  RT_ICON0x143ff00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.7570356472795498
                                                                                  RT_ICON0x1450a80x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.7774822695035462
                                                                                  RT_GROUP_ICON0x1455200x5adata0.7666666666666667
                                                                                  RT_VERSION0x14558c0x3b4data0.3860759493670886
                                                                                  RT_MANIFEST0x1459500xec4XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF, LF line terminators0.4082010582010582

                                                                                  Imports

                                                                                  DLLImport
                                                                                  mscoree.dll_CorExeMain

                                                                                  Network Behavior

                                                                                  Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:07:26:55
                                                                                  Start date:01/11/2024
                                                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.12338.1741.exe"
                                                                                  Imagebase:0x229fcca0000
                                                                                  File size:1'325'568 bytes
                                                                                  MD5 hash:5F1D27279BC750EE8EF05D061AB17C95
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.2126084682.00000229FCCA2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2217024212.0000022980001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:07:27:04
                                                                                  Start date:01/11/2024
                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"cmd.exe" /C update.bat
                                                                                  Imagebase:0x7ff7b21b0000
                                                                                  File size:289'792 bytes
                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:07:27:04
                                                                                  Start date:01/11/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff66e660000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:6
                                                                                  Start time:07:27:04
                                                                                  Start date:01/11/2024
                                                                                  Path:C:\Windows\System32\timeout.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:TIMEOUT /T 2
                                                                                  Imagebase:0x7ff6e3a90000
                                                                                  File size:32'768 bytes
                                                                                  MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:7
                                                                                  Start time:07:27:06
                                                                                  Start date:01/11/2024
                                                                                  Path:C:\Windows\System32\PING.EXE
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:ping 127.0.0.1 -n 2
                                                                                  Imagebase:0x7ff65efe0000
                                                                                  File size:22'528 bytes
                                                                                  MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:07:27:07
                                                                                  Start date:01/11/2024
                                                                                  Path:C:\Users\user\Desktop\OrionAscension.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:OrionAscension.exe
                                                                                  Imagebase:0x1c87caa0000
                                                                                  File size:1'230'848 bytes
                                                                                  MD5 hash:DD3F49EA75ED5F9D9EFBBE6767279161
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000008.00000000.2245686403.000001C87CB22000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000008.00000002.4581133061.000001C800001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Has exited:false

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Executed Functions

                                                                                    Function 00007FFD3467CBC3 Relevance: 6.1, Strings: 4, Instructions: 1055COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 0HV4$0HV4$0HV4$0HV4
                                                                                    • API String ID: 0-3047883369
                                                                                    • Opcode ID: 97640fabd66bbebaa2f2d2115b430c3c9557319474945ee9283d67eeb8ebaf06
                                                                                    • Instruction ID: f4f9ddb17a2d90e58f1226c34ccc7d05795b1bb2604215bdf5ca4a3950af797a
                                                                                    • Opcode Fuzzy Hash: 97640fabd66bbebaa2f2d2115b430c3c9557319474945ee9283d67eeb8ebaf06
                                                                                    • Instruction Fuzzy Hash: 56727131718A198FDB94EF2CC4A4BA57BE1FF5A304B0445B9E14EC72A2DE29EC41DB41
                                                                                    Function 00007FFD3467EAF5 Relevance: .8, Instructions: 768COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 38278050cb43be0a9faf23b6ea1b5c2b46919725d115b5e7db5c5327bfdc8da8
                                                                                    • Instruction ID: 7a1caa3d5ccb8367fc605bb8a19de62536be4348f6dd61da124f53e616e6a769
                                                                                    • Opcode Fuzzy Hash: 38278050cb43be0a9faf23b6ea1b5c2b46919725d115b5e7db5c5327bfdc8da8
                                                                                    • Instruction Fuzzy Hash: D1917412A0D3A64BE761B6BCE8F21EB3FD4DF5322DB0841F7D1C88A093ED1D644A8655
                                                                                    Function 00007FFD34672B08 Relevance: 11.3, Strings: 9, Instructions: 81COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (8p4$88p4$@9p4$H7p4$H8p4$X8p4$h8p4$7p4$8p4
                                                                                    • API String ID: 0-1164135596
                                                                                    • Opcode ID: 124ae0e17ea36f74661391c84612d737e2b6b5561ab76d88d4f069fefb968edd
                                                                                    • Instruction ID: 0c2aede74f679bdd04df767b20718c2ad5ecab61a2d698ce02eb18cb7d2456de
                                                                                    • Opcode Fuzzy Hash: 124ae0e17ea36f74661391c84612d737e2b6b5561ab76d88d4f069fefb968edd
                                                                                    • Instruction Fuzzy Hash: B221A783A0FAD10FE3160A6C2CB50656FA0AFD7A5434891FFD0C5CF1DB9808A80D8351
                                                                                    Function 00007FFD34672C38 Relevance: 8.8, Strings: 7, Instructions: 74COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (8p4$88p4$@9p4$H8p4$X8p4$h8p4$8p4
                                                                                    • API String ID: 0-1923157024
                                                                                    • Opcode ID: 3bb4c4dbbeea67c22d1089b1ab520248a6053afd0f330f73d92d0cc72794d2a6
                                                                                    • Instruction ID: 3baa3e9d4402c39615013aef20cb8afff6e178f805ae1ff85bb807d1e30f1b8f
                                                                                    • Opcode Fuzzy Hash: 3bb4c4dbbeea67c22d1089b1ab520248a6053afd0f330f73d92d0cc72794d2a6
                                                                                    • Instruction Fuzzy Hash: C821F987E0F9D51BE7A44E280CF51A96FD0FF66604B0481FBD5C9CA2C7EC58E908A340
                                                                                    Function 00007FFD34674C00 Relevance: 2.7, Strings: 2, Instructions: 199COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: X.g4$h.g4
                                                                                    • API String ID: 0-3784148067
                                                                                    • Opcode ID: aa3645112d5d7cc73445439fc230deefa91e118dac7d4176e13b673f6bb411a7
                                                                                    • Instruction ID: 3542e41a17d5ec43312c98d804df62ee9cf68870b2a69bf0a92df6024ff10fe5
                                                                                    • Opcode Fuzzy Hash: aa3645112d5d7cc73445439fc230deefa91e118dac7d4176e13b673f6bb411a7
                                                                                    • Instruction Fuzzy Hash: 8B61A531709B468FE786DF788464664BBE2EF8B34071841F6C459CB2A3CA2C98C5C752
                                                                                    Function 00007FFD3467DB22 Relevance: 1.5, Strings: 1, Instructions: 260COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 8@u4
                                                                                    • API String ID: 0-398326676
                                                                                    • Opcode ID: 84bab8d56e3d7d8cd8a0fd95d89c213b5841a59c55409151b47cb1d372fa0078
                                                                                    • Instruction ID: b401cbe9a7afea9b0b5d4f0d53edca0886f6c6ce471a49d0a291586891a7bfdd
                                                                                    • Opcode Fuzzy Hash: 84bab8d56e3d7d8cd8a0fd95d89c213b5841a59c55409151b47cb1d372fa0078
                                                                                    • Instruction Fuzzy Hash: 53819331A14A1E8FDB98EF58C8A47FA77E1FF99300F104569D41ED7296DE39A841CB80
                                                                                    Function 00007FFD3467E5BD Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: U
                                                                                    • API String ID: 0-3372436214
                                                                                    • Opcode ID: 922ce0587a7a1bfb0b2b9c664e21d5577a92378accac17934b65e5fb53d8f57a
                                                                                    • Instruction ID: 50038d9768ff7b6c5ab1af312ee0796f22946d889a6605c472b084c6ce1691c1
                                                                                    • Opcode Fuzzy Hash: 922ce0587a7a1bfb0b2b9c664e21d5577a92378accac17934b65e5fb53d8f57a
                                                                                    • Instruction Fuzzy Hash: B5412431B0DB464FE75ADF38C8A45957BE1EF47340B0941FAD459CB1A3D928AC49C352
                                                                                    Function 00007FFD3467E0C0 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: p|V4
                                                                                    • API String ID: 0-3670401235
                                                                                    • Opcode ID: 6e3d6a706f5f3c3b7dfc799538689364577e3265e6bfc63c9705bc6f2dfcafd5
                                                                                    • Instruction ID: b3d92e134372fd3ef82b04e53910b48579bb7e7da5e0930f060ff672e0199b4c
                                                                                    • Opcode Fuzzy Hash: 6e3d6a706f5f3c3b7dfc799538689364577e3265e6bfc63c9705bc6f2dfcafd5
                                                                                    • Instruction Fuzzy Hash: 44413931A0C7414FE764EF28C8659A97BE1FF96310B0441BAD049CB183ED2DA84AC781
                                                                                    Function 00007FFD3467DC60 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: P.g4
                                                                                    • API String ID: 0-3549606529
                                                                                    • Opcode ID: a27e008324ff9290b16fe7175f282f27767e14357ab5622c2b1e701812f42820
                                                                                    • Instruction ID: 6781ff32028d7f2e446a1ac6906ad041bc0a2f716e17fa0367631e6d71715b0a
                                                                                    • Opcode Fuzzy Hash: a27e008324ff9290b16fe7175f282f27767e14357ab5622c2b1e701812f42820
                                                                                    • Instruction Fuzzy Hash: 66414C31A14A1D8FEB99EF68C8A47B977A1FF59310F104529E11AD72D2CE29A842C740
                                                                                    Function 00007FFD34674C20 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: X.g4
                                                                                    • API String ID: 0-371628654
                                                                                    • Opcode ID: 17af8bee0ed653f016d8ffd859f6e8f8e0c6d524789a0d77ac7721ba0b449518
                                                                                    • Instruction ID: 357c96b8c15953efe210a5b54e0e3bd7d75dcc6cff2d6a21def3f0034c454551
                                                                                    • Opcode Fuzzy Hash: 17af8bee0ed653f016d8ffd859f6e8f8e0c6d524789a0d77ac7721ba0b449518
                                                                                    • Instruction Fuzzy Hash: 10418331709B468FE796DF7884652A47BE2EF8A340B1441BAD459CB293CE2DA981C712
                                                                                    Function 00007FFD3467E730 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: p|V4
                                                                                    • API String ID: 0-3670401235
                                                                                    • Opcode ID: 521246ab29c9b05218fbb0f37bd043600f5dbd61cbfac3450e9e04f9511c3e49
                                                                                    • Instruction ID: 8407631c5f2cdec018dc6f33e5d6021fb06fa24627dcfbbd11b3d587142c5661
                                                                                    • Opcode Fuzzy Hash: 521246ab29c9b05218fbb0f37bd043600f5dbd61cbfac3450e9e04f9511c3e49
                                                                                    • Instruction Fuzzy Hash: 42311631B1CB468FE754EF28C4655A5B7E1FF96310B0441BAD059CB583DE29A887C781
                                                                                    Function 00007FFD346708AD Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 0HV4
                                                                                    • API String ID: 0-1655960994
                                                                                    • Opcode ID: 58c04a0af66987fee888cde5c115d6c318022eade17be0572013413736fbb9c4
                                                                                    • Instruction ID: 31cf9308e555f58c74025e5e2ca93c0df904d7f86fa6d8a2de0e587c8f4c4c34
                                                                                    • Opcode Fuzzy Hash: 58c04a0af66987fee888cde5c115d6c318022eade17be0572013413736fbb9c4
                                                                                    • Instruction Fuzzy Hash: 14213822A0DE564FE79ACB6C98652A47BD1EF97320B0841F7D54CC71A7DE2CEC818391
                                                                                    Function 00007FFD34672D19 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 8:p4
                                                                                    • API String ID: 0-866968151
                                                                                    • Opcode ID: e4ef9a34485791c460950053ef5b122007146d487b10ed709a146e62f113a3df
                                                                                    • Instruction ID: 9584331e964d935d5f03b58c5709bac1620abac76673544348923ffcdc69e211
                                                                                    • Opcode Fuzzy Hash: e4ef9a34485791c460950053ef5b122007146d487b10ed709a146e62f113a3df
                                                                                    • Instruction Fuzzy Hash: CE112471A1CB864FD75AAB3484A41E57BF0EF6630470481FBD08AC7693DE2CA8418700
                                                                                    Function 00007FFD34672D30 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 8:p4
                                                                                    • API String ID: 0-866968151
                                                                                    • Opcode ID: 755be333ff27794f29cbcedca393daaac59408608c4049c6d769abdf5ec687b2
                                                                                    • Instruction ID: 25dd8ff864038cdaa71d9099c6198030ceb4a71a3114e615555ef0af545445f9
                                                                                    • Opcode Fuzzy Hash: 755be333ff27794f29cbcedca393daaac59408608c4049c6d769abdf5ec687b2
                                                                                    • Instruction Fuzzy Hash: 5C110671B18F8B4FD76ABB3484A41E977F1EF6530470085BAD04FC7696DE2CA8828740
                                                                                    Function 00007FFD346797D8 Relevance: .6, Instructions: 568COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2d38c3e060737c5706155ce86bc9a191362d17c8e8faca603608a9e2ee3b9452
                                                                                    • Instruction ID: 7e032827d70955ab99d8880ce3167fa5973c6d368cbf7fa4107b55cc5f1671ad
                                                                                    • Opcode Fuzzy Hash: 2d38c3e060737c5706155ce86bc9a191362d17c8e8faca603608a9e2ee3b9452
                                                                                    • Instruction Fuzzy Hash: DB121130718A198FDB94EF2CC4A4BA97BE1FF59305F1405B9E04EC76A2DA29EC41DB41
                                                                                    Function 00007FFD346797F2 Relevance: .3, Instructions: 309COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e5b6b1a58c815df592fb0f6dda1a1ebeb032e1cfc8dcd8e117d6b70c3aece5ac
                                                                                    • Instruction ID: 0ce90f74efc0a4e0071b97262b0481c7a5e5c049dc30c63f27ed3c13127cc806
                                                                                    • Opcode Fuzzy Hash: e5b6b1a58c815df592fb0f6dda1a1ebeb032e1cfc8dcd8e117d6b70c3aece5ac
                                                                                    • Instruction Fuzzy Hash: ECA18162F4E1B60AF7557E695CF60F93FE09F53315B088176E2A8CA0C3DD0D680EA961
                                                                                    Function 00007FFD3467097D Relevance: .3, Instructions: 269COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: afdc5729c3b7ad1d3df826f22faf6ca4ea6ca67e8c92dea1675c638d1ea32fd5
                                                                                    • Instruction ID: c53d23a95e9033d17d4c74a9aac852e9aa58127c8f5d1a344a997e37025124cb
                                                                                    • Opcode Fuzzy Hash: afdc5729c3b7ad1d3df826f22faf6ca4ea6ca67e8c92dea1675c638d1ea32fd5
                                                                                    • Instruction Fuzzy Hash: 7F918E31A09B4A8FE746DF78D460591BBF1EF5739070940E6D058DF2A2CA3EA9C1CB21
                                                                                    Function 00007FFD3467E845 Relevance: .2, Instructions: 231COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a33cbd39516d983917d1808a0ba5433b9bea3c420402de90a6c8a3a15af363a7
                                                                                    • Instruction ID: cdf8d8b02ec6e69c1866f9b39bc4aa92adfe5d45494fdb1aabfffc3efb306c12
                                                                                    • Opcode Fuzzy Hash: a33cbd39516d983917d1808a0ba5433b9bea3c420402de90a6c8a3a15af363a7
                                                                                    • Instruction Fuzzy Hash: DA71C431B0CA5A8FE786EB28D8616A9BBE1EF4A340B0880F6D04DCB1D3DD2C5D858751
                                                                                    Function 00007FFD34679890 Relevance: .2, Instructions: 219COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3e567be3afc3094ce470e9e7221b7d8bd5d6e450df72007f766970ed991d087e
                                                                                    • Instruction ID: 713944a2c114d685c89b43106e85b627d240fe80e37a0ae372c4c9d01d8f1023
                                                                                    • Opcode Fuzzy Hash: 3e567be3afc3094ce470e9e7221b7d8bd5d6e450df72007f766970ed991d087e
                                                                                    • Instruction Fuzzy Hash: 69714E61F5E5731AFA457E650CF60F93FE0AF13314B48807AE6A9CA0D3DD0DA80DA961
                                                                                    Function 00007FFD3467E889 Relevance: .2, Instructions: 204COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 608fb56f77b88ff993dad880d90151829bec16624df16a09db067f61d6450e02
                                                                                    • Instruction ID: 7e013c28c7a4a73fa36e19d43b0b1fd5365cc62293f33bbb695822883bdd0da7
                                                                                    • Opcode Fuzzy Hash: 608fb56f77b88ff993dad880d90151829bec16624df16a09db067f61d6450e02
                                                                                    • Instruction Fuzzy Hash: 9661C331B1CA5A8FE786DB28D8616ADBBE1FF4A340B0980F6D04DCB293DD2C59858751
                                                                                    Function 00007FFD346704D0 Relevance: .2, Instructions: 177COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3f5278bbd22127ad5068cde692955f9df1be4386c6efb88513ae4de24989b3b9
                                                                                    • Instruction ID: 6550120ed77f6a40c69fafeb5c8bbf7b86dc39444924e069341cb8a90fe114c7
                                                                                    • Opcode Fuzzy Hash: 3f5278bbd22127ad5068cde692955f9df1be4386c6efb88513ae4de24989b3b9
                                                                                    • Instruction Fuzzy Hash: 43517231F18A1D8FEB95EFA8D8A56EDBBF1FF59310F040176E109E7291CA286880C750
                                                                                    Function 00007FFD34677B24 Relevance: .2, Instructions: 177COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 65073e398e7ba82ff4571dce6e4c86976d409ac886c3c5fb60b38834b4ae8293
                                                                                    • Instruction ID: e8be2769ea91b0ca685cefba405d9b37402c78fde473419c7f1dac03c02ac4dc
                                                                                    • Opcode Fuzzy Hash: 65073e398e7ba82ff4571dce6e4c86976d409ac886c3c5fb60b38834b4ae8293
                                                                                    • Instruction Fuzzy Hash: B9511E7090CB4C8FDB58EF58D889AE97BE0FB69311F10412EE58DC3262CB74A845CB91
                                                                                    Function 00007FFD34678B50 Relevance: .2, Instructions: 176COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7cf4da20abd14c99d98a85be15a53b466961b90f073b35d993b75839ada41c7e
                                                                                    • Instruction ID: 5eb07602f9c423a7dd037acaa7e849751a687d31204b8e76be4006f19a181a8b
                                                                                    • Opcode Fuzzy Hash: 7cf4da20abd14c99d98a85be15a53b466961b90f073b35d993b75839ada41c7e
                                                                                    • Instruction Fuzzy Hash: A4511971F09A198FE794DFAC9C986E97BE1FF59710B1441BBE00CD7292DD286C418780
                                                                                    Function 00007FFD34673B85 Relevance: .2, Instructions: 151COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ee35dcc700646ccfd3396ababd7863ac5726a8290097682c354982fdb3924764
                                                                                    • Instruction ID: 39d7d007cc8e37eefb1b23eb3cdcf89ed29748e43bc853b75e3a2a9eb344908d
                                                                                    • Opcode Fuzzy Hash: ee35dcc700646ccfd3396ababd7863ac5726a8290097682c354982fdb3924764
                                                                                    • Instruction Fuzzy Hash: 6451E67160D7C58FE3469F3488655A17FE0EF4B344B1540FED48ACB1A3CA2D9886C712
                                                                                    Function 00007FFD3467DCAD Relevance: .1, Instructions: 139COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c6aa42f4cbcb2ae1ca237b33f7ed8b6adce7ee7e01a4e9efec50998e004972a3
                                                                                    • Instruction ID: 34cd8441e5fd57507d4882093bc70de2ecadcb7953316da658f1ab4756698aaf
                                                                                    • Opcode Fuzzy Hash: c6aa42f4cbcb2ae1ca237b33f7ed8b6adce7ee7e01a4e9efec50998e004972a3
                                                                                    • Instruction Fuzzy Hash: 4C414531B04A0E8FDB85EF68C8946E977E2FF99301B144579D41DD7296DE39A881CB40
                                                                                    Function 00007FFD346714DD Relevance: .1, Instructions: 137COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: add7d9d9948e9e0ce4fcd794bddc2f8f291888bd3377c126d14a9068ebfaf180
                                                                                    • Instruction ID: 2b68f2d51995114145777812efe9e193e696b24a801e38e518f5aabe385b136a
                                                                                    • Opcode Fuzzy Hash: add7d9d9948e9e0ce4fcd794bddc2f8f291888bd3377c126d14a9068ebfaf180
                                                                                    • Instruction Fuzzy Hash: A541B372F09A9A4FFB559A6888711ED7FB0EF57310F0801B7C589D72A2DA186C029790
                                                                                    Function 00007FFD3467DA72 Relevance: .1, Instructions: 137COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 62870aca1456c471ac3ac077c16e7b6abe391c6a53a9e826bf4df58ffceac5a2
                                                                                    • Instruction ID: 60aed22d9cf992bfe03286791937cbb0085160c0e417d8661b8604de33d301a3
                                                                                    • Opcode Fuzzy Hash: 62870aca1456c471ac3ac077c16e7b6abe391c6a53a9e826bf4df58ffceac5a2
                                                                                    • Instruction Fuzzy Hash: 08411562A0C6E90EE7A29B744C712F57FE0EF83310F0945B7D58CC7093D90D691A8341
                                                                                    Function 00007FFD3467D8A8 Relevance: .1, Instructions: 128COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e76239ae73e6501ca7bdf5bd38e2986ae0a2063de259b5252b19a1f46d313141
                                                                                    • Instruction ID: 4292d6e6dd31c64e4c490e0e3cd1d375f8231b0512b7fc1e5f16fe432d51a180
                                                                                    • Opcode Fuzzy Hash: e76239ae73e6501ca7bdf5bd38e2986ae0a2063de259b5252b19a1f46d313141
                                                                                    • Instruction Fuzzy Hash: BD31D431B08E1D8FEB95EF6C94656A8B7E1FF99310B0401B6E40DD7293DE2D9C818781
                                                                                    Function 00007FFD3467C6E9 Relevance: .1, Instructions: 127COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e535a285c398e070479be0cc63860ea7aea08e71a71fc2837854689d9bcf6bd4
                                                                                    • Instruction ID: ccc105b9cc9f307b51917c1574428e85c1cf98a96c00d2bfc7a38e71d7ce314d
                                                                                    • Opcode Fuzzy Hash: e535a285c398e070479be0cc63860ea7aea08e71a71fc2837854689d9bcf6bd4
                                                                                    • Instruction Fuzzy Hash: C2312322B0CA8E0FEB95EB2858A51F83FE1EF96210F0841BBD54DC7192DE2C98059381
                                                                                    Function 00007FFD3455E2D2 Relevance: .1, Instructions: 126COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2224415188.00007FFD3455D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3455D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd3455d000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 243d57151fddc058e7f0842fd91ac000a10fb8e9a85e4e90e2ad0742114e706c
                                                                                    • Instruction ID: f32816afb0eceda7e4f512820b0e2946eac44dab81c3a887050729882eed876f
                                                                                    • Opcode Fuzzy Hash: 243d57151fddc058e7f0842fd91ac000a10fb8e9a85e4e90e2ad0742114e706c
                                                                                    • Instruction Fuzzy Hash: 5F41133190DBC44FE7578B2898969623FB0EF53320B0502EFD089CB0A7D629F846C792
                                                                                    Function 00007FFD3467B8FB Relevance: .1, Instructions: 122COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c6d3d3badb326d0880fe86c2522feee78c2cd1333db19bf9d2a5f994b9e12336
                                                                                    • Instruction ID: 9f1c5018a0f67dfba48c50cf49694d8611a63aa67aba3c3a6abc95c58a062b55
                                                                                    • Opcode Fuzzy Hash: c6d3d3badb326d0880fe86c2522feee78c2cd1333db19bf9d2a5f994b9e12336
                                                                                    • Instruction Fuzzy Hash: 64414B71A08A4C8FDB58EF98D495BEEBBB1EB59310F00816ED00DE7251DB74A485CB41
                                                                                    Function 00007FFD346707A4 Relevance: .1, Instructions: 106COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 942b3f55931abce093b7443ca4b9151d2eaa81a9212019da9b284554e47bfd38
                                                                                    • Instruction ID: eef72237297201118814c8b729a30c97164983e7ae5c89e9fb73cb6ad779b064
                                                                                    • Opcode Fuzzy Hash: 942b3f55931abce093b7443ca4b9151d2eaa81a9212019da9b284554e47bfd38
                                                                                    • Instruction Fuzzy Hash: 713181A3A0DBEA0EE7125A6C5CF10D53F51DF9325874A44B7C285CF093AC1D984B92A1
                                                                                    Function 00007FFD3467C72D Relevance: .1, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8b953f647afdc169e4d5bb66bfd6a20eeed415785712bdcbf567b08606419188
                                                                                    • Instruction ID: 3ae162cd9a7d87ab4aa736d0717ce828a0b9fc1540cb44ec2ef1147e6bd9d2db
                                                                                    • Opcode Fuzzy Hash: 8b953f647afdc169e4d5bb66bfd6a20eeed415785712bdcbf567b08606419188
                                                                                    • Instruction Fuzzy Hash: 4F210B62F0CA9E0FEB95DB2C58A52F93BD1EF9A210B1441B7D54DC71D1DE2C9C415381
                                                                                    Function 00007FFD3467A32D Relevance: .1, Instructions: 88COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fc4cc28f0952cdc916e6606660ec07d7013824580efca9f1ac5166efa17332a7
                                                                                    • Instruction ID: e4e1bea66fa5b23f469a999dea44aaea03654bb3bd95e2260362e3ed581bbc89
                                                                                    • Opcode Fuzzy Hash: fc4cc28f0952cdc916e6606660ec07d7013824580efca9f1ac5166efa17332a7
                                                                                    • Instruction Fuzzy Hash: 6A21483290DAC64FF7699EA85CA61E43FE0EF56210F0841FBD588CE193E85E68848342
                                                                                    Function 00007FFD34679C85 Relevance: .1, Instructions: 87COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cebf97b08d7d035d19088223486b04f87364d3493df2abd8d10b7da5a4bd8112
                                                                                    • Instruction ID: da8cd0309e86f8580ccd516853c1bfdc527e0120427d405338de530faa25ca8e
                                                                                    • Opcode Fuzzy Hash: cebf97b08d7d035d19088223486b04f87364d3493df2abd8d10b7da5a4bd8112
                                                                                    • Instruction Fuzzy Hash: B321375270DA9A0FF795DA7C0CA61B47FD1EF9625170841F7D48CCB1A3DC1C98458351
                                                                                    Function 00007FFD34673CF9 Relevance: .1, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 97a5fdb1510987b33231f3e7f718843520b9a7a99dfcb8410d870dc2e2a1693a
                                                                                    • Instruction ID: 677a5b53016a3a26167d513646b9c87513cd1505bd060a96277e18a9d7485978
                                                                                    • Opcode Fuzzy Hash: 97a5fdb1510987b33231f3e7f718843520b9a7a99dfcb8410d870dc2e2a1693a
                                                                                    • Instruction Fuzzy Hash: ED112332E0CA5D4FEB81EB589C965ED7BF1FBDA310B044177D509C7292DF2898048381
                                                                                    Function 00007FFD3467D9F1 Relevance: .1, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e24bcc7fcebe7df8ba4ac7c9d653a7a3e069f9225e82206161faca5b737fd361
                                                                                    • Instruction ID: 32cff27ef73ed2d18c8fa73b40cdfa1073c5c6ca6eeb572d5bf3746e85274b75
                                                                                    • Opcode Fuzzy Hash: e24bcc7fcebe7df8ba4ac7c9d653a7a3e069f9225e82206161faca5b737fd361
                                                                                    • Instruction Fuzzy Hash: 9D01F13255CAD50FD3529B249C614E67FE0FB82320F0507BBE189D7093DA5E5A068782
                                                                                    Function 00007FFD34674B8A Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c0be85e9af755a1675bec6dc80e0f39373bede5e78850dcee320c398e29ea4b0
                                                                                    • Instruction ID: b69cdc4ac6535944cdb858270fab503725efab20411f6354b6130f506722ba26
                                                                                    • Opcode Fuzzy Hash: c0be85e9af755a1675bec6dc80e0f39373bede5e78850dcee320c398e29ea4b0
                                                                                    • Instruction Fuzzy Hash: FE012131704B468FD789DF2C8464655B7F2FF9A34071941A5D45ECB296CA38EC82CB41
                                                                                    Function 00007FFD34673D49 Relevance: .0, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fce130b6098a4656eea7fc69cb70efb2ffd488650686ee94e178651cb045b8e2
                                                                                    • Instruction ID: 74014fe5438bdfdfae0c5c88568024721eb0cbc2735de78b10463acfb09795c7
                                                                                    • Opcode Fuzzy Hash: fce130b6098a4656eea7fc69cb70efb2ffd488650686ee94e178651cb045b8e2
                                                                                    • Instruction Fuzzy Hash: 27F08132B0881E8FEB84EA5C98916FD7BF2EBD9250B048076D11DD3282CE2C68429780
                                                                                    Function 00007FFD34673D7F Relevance: .0, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d62b7b3fcb8e811d60f1f87a44ffde19d722ae91ac85da584e201d5be9553707
                                                                                    • Instruction ID: 629b0eed7be64b67c8a6c5d8613121c83d6b901f81400485da1f494d22e75886
                                                                                    • Opcode Fuzzy Hash: d62b7b3fcb8e811d60f1f87a44ffde19d722ae91ac85da584e201d5be9553707
                                                                                    • Instruction Fuzzy Hash: 7AF08132B0881E8FEB84EA5C98916FD7BF2EBC9250B048076C11DD3282CE2C58429780
                                                                                    Function 00007FFD34673D64 Relevance: .0, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f3bcd24bf931835bcc455cb31efe72b01b763658eb9242cc333431703a6f1711
                                                                                    • Instruction ID: a0c9039462ce82083c676b0ea9745d04fd244e586cf572207f17dcbba68d29cd
                                                                                    • Opcode Fuzzy Hash: f3bcd24bf931835bcc455cb31efe72b01b763658eb9242cc333431703a6f1711
                                                                                    • Instruction Fuzzy Hash: 65F08132B0881E8FEB84EA5C98916FD7BF2EBD9250B048076D11DD7282CE2C68429780
                                                                                    Function 00007FFD34670BED Relevance: .0, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 53693802a8ef9561506b110dfe537fa766f64d5a46e6f525fd1af810f5d14e36
                                                                                    • Instruction ID: aa665fd07e05955123e7abca6cef4d15605ce859a699a48dbc3d93b16bc2890a
                                                                                    • Opcode Fuzzy Hash: 53693802a8ef9561506b110dfe537fa766f64d5a46e6f525fd1af810f5d14e36
                                                                                    • Instruction Fuzzy Hash: 2AF0F662A0E9940FF7559B6858753B87FD1EB97310F0941BAD009C6183CE5C59425391
                                                                                    Function 00007FFD34673D9A Relevance: .0, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a5b029c7d6ad8a9bffbd3ff511c60969cd02fe251fba2a9b40e881b43d7bf411
                                                                                    • Instruction ID: e9d00b20924afe0b198829c2271988a6944ada843ecef81d4f681fd342d80853
                                                                                    • Opcode Fuzzy Hash: a5b029c7d6ad8a9bffbd3ff511c60969cd02fe251fba2a9b40e881b43d7bf411
                                                                                    • Instruction Fuzzy Hash: 4FF04432B0891E4FEB85EA5C94956FD77F2EBD9250B044176D51DD7292CE2858428780
                                                                                    Function 00007FFD34678B39 Relevance: .0, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f42751c1017e9dff9a2476ad072938ab0396c6df0333c2e3c716f989b373df87
                                                                                    • Instruction ID: 9bcbfcf65d62ed3d6b871f9af217db19fe6cba766ca23c87cf2ed13a28cc7766
                                                                                    • Opcode Fuzzy Hash: f42751c1017e9dff9a2476ad072938ab0396c6df0333c2e3c716f989b373df87
                                                                                    • Instruction Fuzzy Hash: 57F0C871A0D7E80FDB525B781C5C0EA7FF0EE5B221B0901BBD548D7193D91808158391
                                                                                    Function 00007FFD34678E90 Relevance: .0, Instructions: 40COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b0dda27df5aa0b2ea2d66e21c7f6d308eda76007e2cee2dc65fbd3a401b86c28
                                                                                    • Instruction ID: ad0674cb931f6523b771dc2f6c46d530cc5fa1be616fb6bdebadfc81482ee108
                                                                                    • Opcode Fuzzy Hash: b0dda27df5aa0b2ea2d66e21c7f6d308eda76007e2cee2dc65fbd3a401b86c28
                                                                                    • Instruction Fuzzy Hash: 7BF0175290E7E14EE76B1A782CB51A03FB09F13211B0E50EBC5C8DA1E3D90C6C889763
                                                                                    Function 00007FFD3467A3AD Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 47399cf98af61c58584cbeaeb35c78690581788d0f37c204b62880bfe3480c7f
                                                                                    • Instruction ID: c7c1a175d4f2a1eacade78b0c66a813888c1ec7db337f7897dcd71867eca17d7
                                                                                    • Opcode Fuzzy Hash: 47399cf98af61c58584cbeaeb35c78690581788d0f37c204b62880bfe3480c7f
                                                                                    • Instruction Fuzzy Hash: 9E0149329097898FF791DF648CA96DC3FB1FF45340F0440BAD91CC7192EA39A8558341
                                                                                    Function 00007FFD34678E79 Relevance: .0, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 49f73d872ccdf4f95e6d14482fcab85981db489dde444f3ef0ee19f73e381c63
                                                                                    • Instruction ID: c8927063e88a1e8d40758798a1b07a2074b169f29b5c7d16769b1ac0859d468b
                                                                                    • Opcode Fuzzy Hash: 49f73d872ccdf4f95e6d14482fcab85981db489dde444f3ef0ee19f73e381c63
                                                                                    • Instruction Fuzzy Hash: 51F08942E0D5714AFB68596D6CA52F85DC0DB51211F096077D55CD61D2D94D6CC41381
                                                                                    Function 00007FFD34678AE5 Relevance: .0, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 132cf836f1eb278e7b62119e92955baa71996257f1d492fff58290fa1fee38e4
                                                                                    • Instruction ID: 8cf2fb5f97ce092eb11a70b0758dd5f2c8fd893cf4f44ee5a45652cb624f5035
                                                                                    • Opcode Fuzzy Hash: 132cf836f1eb278e7b62119e92955baa71996257f1d492fff58290fa1fee38e4
                                                                                    • Instruction Fuzzy Hash: 63F02092B0E6E20FE7568A2D0CB92E42EC19FA7350F8990FEC248CB2D3D80DDC058305
                                                                                    Function 00007FFD34678B00 Relevance: .0, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6e834165d48202dea7534671bdcbfcdbbb14edcf41e757c7bf26200354077b75
                                                                                    • Instruction ID: 90e62ee4c0d1c0edad5a58cafee8d3e26b1ef38c8a45ec4589d625acc45e9d8e
                                                                                    • Opcode Fuzzy Hash: 6e834165d48202dea7534671bdcbfcdbbb14edcf41e757c7bf26200354077b75
                                                                                    • Instruction Fuzzy Hash: 41E07D40B19CC60BE758992E0CA12E038C2CB9A640FC8D035D10DC32D2DC0CDC440285
                                                                                    Function 00007FFD3467EA72 Relevance: .0, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 178fb6920e7b321f4d4fbc60bd102bc0872db2a378b046c0a2c46e64bd29a945
                                                                                    • Instruction ID: 7ab60cde126358b0ed3614c45cda66636fe514941c4de804a573dbcb6187d853
                                                                                    • Opcode Fuzzy Hash: 178fb6920e7b321f4d4fbc60bd102bc0872db2a378b046c0a2c46e64bd29a945
                                                                                    • Instruction Fuzzy Hash: D0E0C23395D99C4BCB80EE68AC510C93BD4FF55308F45019EED5CC7141EA26D415C782
                                                                                    Function 00007FFD3467B8B8 Relevance: .0, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f2f76072334d2d8b028f9af0d9824b93daf6e595e0031878eae79ab5f579c6ee
                                                                                    • Instruction ID: 5c0f0d1412343726697a6bd4d40c98d010b7a253e3a9b7a14dbf8a0f0a44f47b
                                                                                    • Opcode Fuzzy Hash: f2f76072334d2d8b028f9af0d9824b93daf6e595e0031878eae79ab5f579c6ee
                                                                                    • Instruction Fuzzy Hash: 1DE02631D0D58C9AEF00FF7488D80EE7FE0EF11204F4004BAE55AD2041ED38A6488B80

                                                                                    Non-executed Functions

                                                                                    Function 00007FFD34671AED Relevance: 3.5, Strings: 2, Instructions: 1023COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2230256730.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34670000_SecuriteInfo.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: #N_^$$N_^
                                                                                    • API String ID: 0-1386129089
                                                                                    • Opcode ID: 431f84a6d4c138b2949b57805b4c2ea94d79cb05d94edaf8170e85d406b41606
                                                                                    • Instruction ID: 7cd0dfe5da8681509a8e7be3025fa05a6b6b3dac0fa8fdd572147da40a6a6d97
                                                                                    • Opcode Fuzzy Hash: 431f84a6d4c138b2949b57805b4c2ea94d79cb05d94edaf8170e85d406b41606
                                                                                    • Instruction Fuzzy Hash: 377291A3A0D7E20BE312AA685CF50E57FA0DF53269B0D44FBC2D4CB093ED5D640A9761

                                                                                    Executed Functions

                                                                                    Function 00007FFD34670E26 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ``t4$`ft4$p|U4$]t4$]t4$et4
                                                                                    • API String ID: 0-3142003907
                                                                                    • Opcode ID: ca1841f3e0b32c5d744a44af212d02b57b7d2eb817eafc613592b597157cee73
                                                                                    • Instruction ID: 54f97549d53bd3715c69f9d616ad29a0e7140cb37bcfa6e31e984a0da0a06573
                                                                                    • Opcode Fuzzy Hash: ca1841f3e0b32c5d744a44af212d02b57b7d2eb817eafc613592b597157cee73
                                                                                    • Instruction Fuzzy Hash: CBB2A330B18A5A8FEB98DF18C8A46E977E2FF59310F50417AD55EC7396CE39A842C740
                                                                                    Function 00007FFD3466CBC3 Relevance: 6.0, Strings: 4, Instructions: 1044COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 0HU4$0HU4$0HU4$0HU4
                                                                                    • API String ID: 0-2339029571
                                                                                    • Opcode ID: 41ea5191d849310cf22d1f59634548267bd0e12c9714063601fd4db36526335b
                                                                                    • Instruction ID: 1209d5cb4845dd5437adab3c04c79cc3977e786af8a2917a6b81064bb82a38c8
                                                                                    • Opcode Fuzzy Hash: 41ea5191d849310cf22d1f59634548267bd0e12c9714063601fd4db36526335b
                                                                                    • Instruction Fuzzy Hash: B0724E30718A598FDB94EF28C4A4BA577E1FF5A314B4405B9E18EC72A2DE2DEC41DB40
                                                                                    Function 00007FFD34662B07 Relevance: 11.3, Strings: 9, Instructions: 82COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (8o4$88o4$@9o4$H7o4$H8o4$X8o4$h8o4$7o4$8o4
                                                                                    • API String ID: 0-820072068
                                                                                    • Opcode ID: b790a750d5871dc5dde5fb71c7c6dd988480ada846909f41dd4f8d0287297b7d
                                                                                    • Instruction ID: f6cdf512c229a2293b7a7df41104fb5a7dc3e1c9e5cacc0df72377806b653e39
                                                                                    • Opcode Fuzzy Hash: b790a750d5871dc5dde5fb71c7c6dd988480ada846909f41dd4f8d0287297b7d
                                                                                    • Instruction Fuzzy Hash: D2218183A0FAD11EE3160E2C6C760B86F60EB9766434C02FBD0C4CB0DBD90DA8599355
                                                                                    Function 00007FFD34662CB8 Relevance: 8.8, Strings: 7, Instructions: 32COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (8o4$88o4$@9o4$H8o4$X8o4$h8o4$8o4
                                                                                    • API String ID: 0-3476012670
                                                                                    • Opcode ID: add5fc4245f22e8dd5fcde6b4a91d80c2df806f247491218a2d5e2191fba0800
                                                                                    • Instruction ID: 48f453d9b0e9ffefc00272d7a626942c9569d93161549d35087c57cafd98a666
                                                                                    • Opcode Fuzzy Hash: add5fc4245f22e8dd5fcde6b4a91d80c2df806f247491218a2d5e2191fba0800
                                                                                    • Instruction Fuzzy Hash: 83F0A7A6A0CA891AE794AE2848A51EDBFD0FF55654F0000BBD9C9D1252DD2C69459340
                                                                                    Function 00007FFD346698B8 Relevance: 3.4, Strings: 2, Instructions: 934COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: HCt4$PkT4
                                                                                    • API String ID: 0-3878686590
                                                                                    • Opcode ID: b3aa0c2e66656476aa6fab0d518edac45fca5027723c64735158c4a1f1158bbb
                                                                                    • Instruction ID: 5b86f8be3d4193a9e00cb5d3f5a003a2f9b4bc20940457aad931bc191254e750
                                                                                    • Opcode Fuzzy Hash: b3aa0c2e66656476aa6fab0d518edac45fca5027723c64735158c4a1f1158bbb
                                                                                    • Instruction Fuzzy Hash: D4627330718A5A8FEB98EF18C4A06A9B3A2FF59314F54456CD55EC7286CF39BC42C781
                                                                                    Function 00007FFD34671320 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ``t4$et4
                                                                                    • API String ID: 0-3286765612
                                                                                    • Opcode ID: ef48e70481be9d8ebebf345fe61556e20a5e5a241585f56b3028b529058da681
                                                                                    • Instruction ID: 0ecef5e8a9dd802f981ed1daeba53515bf3ac1c11290197daf1ddaa4a40ddc19
                                                                                    • Opcode Fuzzy Hash: ef48e70481be9d8ebebf345fe61556e20a5e5a241585f56b3028b529058da681
                                                                                    • Instruction Fuzzy Hash: 5EB19430718A5A8FEB98EF18C4A0AF977A2FF99304B544169D54EC7395CE39EC82C740
                                                                                    Function 00007FFD34664C00 Relevance: 2.7, Strings: 2, Instructions: 190COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: X.f4$h.f4
                                                                                    • API String ID: 0-1591852694
                                                                                    • Opcode ID: be4ec761a8f388c5086bbd3e08008b1bd04bd9969b1f150e1ae4832a599183cd
                                                                                    • Instruction ID: 14e34ac004b15664e133240242d8710c63285ff3203ea35b3017b207486f069f
                                                                                    • Opcode Fuzzy Hash: be4ec761a8f388c5086bbd3e08008b1bd04bd9969b1f150e1ae4832a599183cd
                                                                                    • Instruction Fuzzy Hash: 8A51C7307289498FF795FB1C80A56A9B3D2FB8A351B9441B9D18DC73A6CF6DAC818340
                                                                                    Function 00007FFD3466EB69 Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: p|U4
                                                                                    • API String ID: 0-4058559248
                                                                                    • Opcode ID: 06bfcbf823df7f1de6b020c34c8a33766979cc78aa4913857caaa02fcd565920
                                                                                    • Instruction ID: 42c6bccaad5f40274cfe7eb63fca8495cd7868c4a408470e1aa0f1929a50ea36
                                                                                    • Opcode Fuzzy Hash: 06bfcbf823df7f1de6b020c34c8a33766979cc78aa4913857caaa02fcd565920
                                                                                    • Instruction Fuzzy Hash: 6C612471A1D7C54FE7569B28C8715E8BFA0FF53321B0941FBD089CB193DA2D68468392
                                                                                    Function 00007FFD346728ED Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 0]t4
                                                                                    • API String ID: 0-3756839449
                                                                                    • Opcode ID: a8717468a29b4c02292b901da9f13a5f5d1b72ed28da00b7748fda2f9be4303d
                                                                                    • Instruction ID: 1dcec6714dca6264351e21e3c86210ecd3f0fe1d4b70b8a626541c5761cd5060
                                                                                    • Opcode Fuzzy Hash: a8717468a29b4c02292b901da9f13a5f5d1b72ed28da00b7748fda2f9be4303d
                                                                                    • Instruction Fuzzy Hash: 3E412C31E0CA594FE729AB64AC566FA7BD0EF57310F18017AD08AD7193DD5C78428381
                                                                                    Function 00007FFD346706A8 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 0]t4
                                                                                    • API String ID: 0-3756839449
                                                                                    • Opcode ID: ffa0e66a899275b6f541ed3baee39cdfd1ee83ef8796f82b596d4ab696bcc66a
                                                                                    • Instruction ID: baeb48513b87aaf25bfd7370e1644192b0cf378e03da2aebc677ddf267e47854
                                                                                    • Opcode Fuzzy Hash: ffa0e66a899275b6f541ed3baee39cdfd1ee83ef8796f82b596d4ab696bcc66a
                                                                                    • Instruction Fuzzy Hash: F531D832B1CA194FE768BA98A8566FE77D1EF99311F14017AE04AE3183DD6878424281
                                                                                    Function 00007FFD3466EC20 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: p|U4
                                                                                    • API String ID: 0-4058559248
                                                                                    • Opcode ID: 9ecce598b9a2cd1de1eb8a19ba1f5627a58c95afa6a29b21f868d130b6db1133
                                                                                    • Instruction ID: c5d025158c220dc096c4d248f9c212426da6c0f134ebd966f1b3940f11678c6f
                                                                                    • Opcode Fuzzy Hash: 9ecce598b9a2cd1de1eb8a19ba1f5627a58c95afa6a29b21f868d130b6db1133
                                                                                    • Instruction Fuzzy Hash: 44415931B1CA454FEB54EF18C8659E9B7D1FF96310B4442BAD08DC7296EE2EAC4283C1
                                                                                    Function 00007FFD3466EC40 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: p|U4
                                                                                    • API String ID: 0-4058559248
                                                                                    • Opcode ID: d823508afa2165c2123477f4e64ee512089f3a0584deeddfdbae3e099e94cb18
                                                                                    • Instruction ID: 6bc64e8191be3090f255c89735259c7b98b87d9aa51db97172c58faa974add40
                                                                                    • Opcode Fuzzy Hash: d823508afa2165c2123477f4e64ee512089f3a0584deeddfdbae3e099e94cb18
                                                                                    • Instruction Fuzzy Hash: 77313731B18A454FEB54EF18C4A56E9B3D1FF95311B4442BAD08DC7286DE2AAC8287C1
                                                                                    Function 00007FFD34664C20 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: X.f4
                                                                                    • API String ID: 0-255699759
                                                                                    • Opcode ID: b6d8591f735089e2389fcd5294ab453fb446f6bc201f2937238767f68364cf6c
                                                                                    • Instruction ID: 692623ff8ba8492012fc39d9877b0c8c1825260cca53a1896c4a2c5f454c355e
                                                                                    • Opcode Fuzzy Hash: b6d8591f735089e2389fcd5294ab453fb446f6bc201f2937238767f68364cf6c
                                                                                    • Instruction Fuzzy Hash: 61315430724A498FF795FB2880B57E8B392FB89355B9441B9D18EC7396CF6DAC818701
                                                                                    Function 00007FFD346608AD Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 0HU4
                                                                                    • API String ID: 0-1235134049
                                                                                    • Opcode ID: f92944f87aa6349f74cb4b5c6fa0860bdc257c2eda338291952cbc046986129b
                                                                                    • Instruction ID: 4fc1206fc3d0d10882e20a11721a69124ef3547b304ef6eeb862a30c1650bd6c
                                                                                    • Opcode Fuzzy Hash: f92944f87aa6349f74cb4b5c6fa0860bdc257c2eda338291952cbc046986129b
                                                                                    • Instruction Fuzzy Hash: EB213821A1DE564FE796DB1C94612F4B6C1FF96320B4402F7D18CC71AADF5DAC818380
                                                                                    Function 00007FFD34662D19 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 8:o4
                                                                                    • API String ID: 0-4277595337
                                                                                    • Opcode ID: 2af97e09304d9569ba14b9e2b23b2c8aa2b8730d7da41adf1ffcf3053c33c78a
                                                                                    • Instruction ID: f6ab66a9bdf611d419cfe22e47740bb20f38948e9647bf8db7383492b8a9d762
                                                                                    • Opcode Fuzzy Hash: 2af97e09304d9569ba14b9e2b23b2c8aa2b8730d7da41adf1ffcf3053c33c78a
                                                                                    • Instruction Fuzzy Hash: 80110321B28B9A4FE756FB2484A41E977B1FF6531474445BBC18AC7696DE2CA8418700
                                                                                    Function 00007FFD34662D30 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 8:o4
                                                                                    • API String ID: 0-4277595337
                                                                                    • Opcode ID: fba6635bebd4cd4596fdb3f5f58b4c27249a4f5a6201136d06ebe7c906e5156b
                                                                                    • Instruction ID: 762ee376ec3e37487053b05b4b8968c91b52b6d82dfe7e896088f7534f5293b4
                                                                                    • Opcode Fuzzy Hash: fba6635bebd4cd4596fdb3f5f58b4c27249a4f5a6201136d06ebe7c906e5156b
                                                                                    • Instruction Fuzzy Hash: A711E930B24E5A4FE765FB24C0A45FA73A1FF55344740457AD08FC3696DE2CA8818740
                                                                                    Function 00007FFD346697D8 Relevance: .6, Instructions: 562COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b2553c73ce8e6efc0c399df309fff815a250455ffa3a77b97148116b13b7ca8f
                                                                                    • Instruction ID: dff19819828b27f50247cff93dd38669273f3bab77774b78d1471db08f26d405
                                                                                    • Opcode Fuzzy Hash: b2553c73ce8e6efc0c399df309fff815a250455ffa3a77b97148116b13b7ca8f
                                                                                    • Instruction Fuzzy Hash: AC023D307189198FEB94EF2CC4A8BA977E1FF59314F4405B9E04ED76A2DE29EC409B41
                                                                                    Function 00007FFD3466EF70 Relevance: .4, Instructions: 423COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9efeccf878a48a148745662464e47c275195379600334bfb06924dbb5a7f2a33
                                                                                    • Instruction ID: 35447a1ae9c73a3f67c61e7999674a1c154bb074aad65c1011853c0a46182e60
                                                                                    • Opcode Fuzzy Hash: 9efeccf878a48a148745662464e47c275195379600334bfb06924dbb5a7f2a33
                                                                                    • Instruction Fuzzy Hash: E8C10831B1CA058BF758EB6C88666F5B7C1EF56301F5482B9E08DC72D3DD6DA8454381
                                                                                    Function 00007FFD346697F2 Relevance: .4, Instructions: 394COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3d65a8ca0a095b944dda02f505141b83d32d63d0e0fe5f343f8df3db30fa54d9
                                                                                    • Instruction ID: 38a50449d121b99d50503ce2543b4e6d65215e9f159187bc89d124a2d48f0258
                                                                                    • Opcode Fuzzy Hash: 3d65a8ca0a095b944dda02f505141b83d32d63d0e0fe5f343f8df3db30fa54d9
                                                                                    • Instruction Fuzzy Hash: F2C1F462B0D5B60BE7557EA884F21F5B790EF43339B0801BADADDCA0C3DD1D7809AA51
                                                                                    Function 00007FFD34660540 Relevance: .3, Instructions: 332COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8fc9eb38f4074e1ac2d1723c604193b71a8d5e111da451e17f9c69db58af82ad
                                                                                    • Instruction ID: 65b56a1cf559d174eca5647ed2cdd642083a61ebc6f558c9a3df05533616f36b
                                                                                    • Opcode Fuzzy Hash: 8fc9eb38f4074e1ac2d1723c604193b71a8d5e111da451e17f9c69db58af82ad
                                                                                    • Instruction Fuzzy Hash: 40B1D593B4EAD61FE752CA2858B51E43F91EF93224B1900FBD1C8CA0D7DA1D6D0AD351
                                                                                    Function 00007FFD3466EF80 Relevance: .3, Instructions: 266COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 87bd21c25852b79375bb6adc8c019aa4d2e9bbafa433e1f8b84d488132425df3
                                                                                    • Instruction ID: 2a542bd85ed6c8bd93d3b448f930069b10bd2ee32f4336f7483cc1acdc814760
                                                                                    • Opcode Fuzzy Hash: 87bd21c25852b79375bb6adc8c019aa4d2e9bbafa433e1f8b84d488132425df3
                                                                                    • Instruction Fuzzy Hash: C4814631B0CA958FF759EA6898652E5BBD1FF96300F5482BBD0C9C72D2CD6DA8418341
                                                                                    Function 00007FFD3466097D Relevance: .2, Instructions: 241COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fc5d37bd6f5f9f3decc3b4c13fd428c32975affe0e403ee048bc9d7bb69675e7
                                                                                    • Instruction ID: 8d167f1bd132c5ea4059987c4676d5c5a5e74088f18493c2bab0419d86a06bd6
                                                                                    • Opcode Fuzzy Hash: fc5d37bd6f5f9f3decc3b4c13fd428c32975affe0e403ee048bc9d7bb69675e7
                                                                                    • Instruction Fuzzy Hash: FF717334724A49CFF755EB58C4606DAB7A1FB893417D081A8E1C8C73A9CFAAACC1C740
                                                                                    Function 00007FFD3466DB22 Relevance: .2, Instructions: 224COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b5a30cc5eb5c63f46be7f82108d4a95360f6840a31615d2adcf93b8be949adaa
                                                                                    • Instruction ID: b673ffb37aaba85fbf44f51b32816849a7485941d5c4de6233eae585b40dcdd7
                                                                                    • Opcode Fuzzy Hash: b5a30cc5eb5c63f46be7f82108d4a95360f6840a31615d2adcf93b8be949adaa
                                                                                    • Instruction Fuzzy Hash: BD718330714A4D8FDB94EF18C4A4AAA73A1FF89311F504569E51EC7391CF79A852CB81
                                                                                    Function 00007FFD3466DDC1 Relevance: .2, Instructions: 219COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e4641090be3e0b1251b2d877e88f2e0d87cb80f4b2860d11b79118f13544426a
                                                                                    • Instruction ID: b9b03615f3b36b2bd6306077beacf7a71c8ac8b72a0f1c80ba6cd61872b1eb1a
                                                                                    • Opcode Fuzzy Hash: e4641090be3e0b1251b2d877e88f2e0d87cb80f4b2860d11b79118f13544426a
                                                                                    • Instruction Fuzzy Hash: F3511731F0855A4FEB15ABA898A62FD77E1EF95320F040076E14DE7293DD6D68428391
                                                                                    Function 00007FFD34662E70 Relevance: .2, Instructions: 214COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 55fc5aa4dd47d72d4cb8703ef0849d1bd39b0920c65b4cc2c0cebf7624f1c1e3
                                                                                    • Instruction ID: f8171e647dea40c01fc6efe9dd7f600d5159e12bd684637ccc021ba0c68f1332
                                                                                    • Opcode Fuzzy Hash: 55fc5aa4dd47d72d4cb8703ef0849d1bd39b0920c65b4cc2c0cebf7624f1c1e3
                                                                                    • Instruction Fuzzy Hash: 76615A31A0C6AD4FE7619F34D8615EEBBE1EF43320F0406BAE44DC7192D92D691A9B81
                                                                                    Function 00007FFD34667B24 Relevance: .2, Instructions: 177COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d93f9e8dbc08fadac8fe01e0f20a09e65da2a83437308bc99ca71abb939a501c
                                                                                    • Instruction ID: 0c293c7d9aa1584551c3471d3da1d35327b2b50d3916c81bcc49f6c4b1edd1e3
                                                                                    • Opcode Fuzzy Hash: d93f9e8dbc08fadac8fe01e0f20a09e65da2a83437308bc99ca71abb939a501c
                                                                                    • Instruction Fuzzy Hash: F5511E7090CB4C8FDB58DF58D889AE97BE0FB69321F10412EE58DC3262DB74A845CB91
                                                                                    Function 00007FFD34672D41 Relevance: .2, Instructions: 176COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4c2c5eea20641c1906df6ab53abad3d151f0704b3e57f7f05dea1646f2ed89cc
                                                                                    • Instruction ID: b52428672a01d1ae09efb07379d2b7375ed396810b74dc201a472e81dda98d8f
                                                                                    • Opcode Fuzzy Hash: 4c2c5eea20641c1906df6ab53abad3d151f0704b3e57f7f05dea1646f2ed89cc
                                                                                    • Instruction Fuzzy Hash: 48513621B1CA568BF70CEA6C98652F5BBD1FF96301F4442BBD18AC72D2CD5DA8418341
                                                                                    Function 00007FFD34668B50 Relevance: .2, Instructions: 175COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7612ce5959390ee06d7048a6626e8a2ae68f343186631158778c702cc401bf3d
                                                                                    • Instruction ID: 315c91c00303d5038c27aa0b31f7a8b9d0af90c6a094d6f31f228e77ab599dc6
                                                                                    • Opcode Fuzzy Hash: 7612ce5959390ee06d7048a6626e8a2ae68f343186631158778c702cc401bf3d
                                                                                    • Instruction Fuzzy Hash: 6A510A71B0A91D8FEB54EF6C98A56E9B7E1FF59320B44017BE14CD3292DE2CAC418380
                                                                                    Function 00007FFD346604D0 Relevance: .2, Instructions: 171COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0bdfb8cf3aabf6d9bf6336beac63bb0f026f106fedacbab88c899a39e1ff47d6
                                                                                    • Instruction ID: 5e6618f9b4e6a9c93e6f00c3dbbc124b9d3032b01a020f922a27ad366659a724
                                                                                    • Opcode Fuzzy Hash: 0bdfb8cf3aabf6d9bf6336beac63bb0f026f106fedacbab88c899a39e1ff47d6
                                                                                    • Instruction Fuzzy Hash: 71516C31B1491D8FEB94EBA8D4A57EDB7A1FF89311F54017AE14EE3291CB696C808780
                                                                                    Function 00007FFD3467211D Relevance: .2, Instructions: 163COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d8d51eb0a794716589c7d4d8a3b277c96f3402a417e8a9a059b339bd0206bede
                                                                                    • Instruction ID: e288b963e2b187e352c50c9569396ed818ba2fe540a5ef8065979f9d7c7bcc3c
                                                                                    • Opcode Fuzzy Hash: d8d51eb0a794716589c7d4d8a3b277c96f3402a417e8a9a059b339bd0206bede
                                                                                    • Instruction Fuzzy Hash: 5E51A131908B1C4FDB58DF98D8856EDBBF1FBA9310F00826AD44DD7252DA34A845CBC2
                                                                                    Function 00007FFD346698FB Relevance: .2, Instructions: 160COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1611b0397be3e888358710020767d78d5148aa6af6be77df2216b113d1a91618
                                                                                    • Instruction ID: ef8f6c8619794d6e8166c0a7efdfd36ba86ecb64520ea0db534b8a7f71568e32
                                                                                    • Opcode Fuzzy Hash: 1611b0397be3e888358710020767d78d5148aa6af6be77df2216b113d1a91618
                                                                                    • Instruction Fuzzy Hash: 7C516A52E0E5B616EA457EA944F20F9FB909F43325B4801BAEBD9CD0C7CC0C640DBA66
                                                                                    Function 00007FFD3467175B Relevance: .2, Instructions: 151COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 65a5d7bca99c50a4186c3a516828fff06888fadfb4584fc5284d2a1f2909dcd9
                                                                                    • Instruction ID: 5365cbeb4050c161109f39ed202de7083b480671ddc8ab39e9d7353e45e56568
                                                                                    • Opcode Fuzzy Hash: 65a5d7bca99c50a4186c3a516828fff06888fadfb4584fc5284d2a1f2909dcd9
                                                                                    • Instruction Fuzzy Hash: 04518330718A0E8FDB99DF58C8A17EA77A1FF55310F508279D01AD7385DE38A852DB80
                                                                                    Function 00007FFD34663B85 Relevance: .1, Instructions: 142COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4ab74bdd17c63ce8f66864c1ea920672641d0cc2dd465ff1fa05f0c710aa4107
                                                                                    • Instruction ID: 8a77411843d1ffa5679928a8f2d2bbfa848d9d41307a786db60e60e8dc3313fd
                                                                                    • Opcode Fuzzy Hash: 4ab74bdd17c63ce8f66864c1ea920672641d0cc2dd465ff1fa05f0c710aa4107
                                                                                    • Instruction Fuzzy Hash: 3641193462CB898FE795EB2884656A57BD0FF4A305F5041BEE1CAC72A2CF7D98858701
                                                                                    Function 00007FFD3466DA72 Relevance: .1, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d1fe23cf65d550514b044809396a41d68e88f59283b5581d179069dde2aa15c8
                                                                                    • Instruction ID: 86220a0b13d2ea8976bff9c6384e5e5377d83432f187c3775a410e96a9ab9b9d
                                                                                    • Opcode Fuzzy Hash: d1fe23cf65d550514b044809396a41d68e88f59283b5581d179069dde2aa15c8
                                                                                    • Instruction Fuzzy Hash: 61411372A0C6E90EE7A29F7458716F97BA4DF83331F0801B6D58CE7097D90D691A9381
                                                                                    Function 00007FFD34672DA8 Relevance: .1, Instructions: 135COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 34ce816c4fac09e1ef8a2c7e6d559aa0c4685bfb86fa4aad943845541049ba65
                                                                                    • Instruction ID: 5ef2e8a6ee1d8c214509a9d61b8c4d203ac3d439008ff7dba236395684f1779c
                                                                                    • Opcode Fuzzy Hash: 34ce816c4fac09e1ef8a2c7e6d559aa0c4685bfb86fa4aad943845541049ba65
                                                                                    • Instruction Fuzzy Hash: 9F412721B1CA598BF71CEA5C98752F5B7C2FFA5301F94827AD18EC32D6CD6DA8404281
                                                                                    Function 00007FFD3466E4BB Relevance: .1, Instructions: 129COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 312a90f3aef7b085acb40069f7ed730a6afaef731397782945eb0a872fbe7c8b
                                                                                    • Instruction ID: 6b13093b59da909fc430475fa4b74c7cdd524dbbe2d00d28671cc6e15a0fd1e8
                                                                                    • Opcode Fuzzy Hash: 312a90f3aef7b085acb40069f7ed730a6afaef731397782945eb0a872fbe7c8b
                                                                                    • Instruction Fuzzy Hash: AB417731718A5A4FDB99DF18C4A0BEE73A2FF95320F504669D41AC7285DA38F851CB80
                                                                                    Function 00007FFD3466C6E9 Relevance: .1, Instructions: 128COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1f505efe1db2dfe81533df51f05bea433b835dd59964abad91078c3586cda2c0
                                                                                    • Instruction ID: 4bb4a566348898e10212a1362acf70a1baedceaf823c67f1aea9512505f3c33e
                                                                                    • Opcode Fuzzy Hash: 1f505efe1db2dfe81533df51f05bea433b835dd59964abad91078c3586cda2c0
                                                                                    • Instruction Fuzzy Hash: 5A311422B0CE9E0FEB55EA2C54A91F87BD1EF97220F4400BBD54DC7192DE2CAC059381
                                                                                    Function 00007FFD34671D1B Relevance: .1, Instructions: 125COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bfbecee78075c60fa34cba6c5ba27e9283b8b5c4daf4656b4aa413c33dbe1af6
                                                                                    • Instruction ID: 2b5f485420cb304c57a1acf796a14d77346cef7a6be190bbe9cc3fdc153fb646
                                                                                    • Opcode Fuzzy Hash: bfbecee78075c60fa34cba6c5ba27e9283b8b5c4daf4656b4aa413c33dbe1af6
                                                                                    • Instruction Fuzzy Hash: 2B31063260DA1D8FEB60EE189C947E57BE1FF56368F14052BE41DC3281DB79A852CB44
                                                                                    Function 00007FFD3466D8A8 Relevance: .1, Instructions: 124COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b6205002a79a0bbb6733dc6aca4bd67fc8304f377ed872b06c746f22fc280754
                                                                                    • Instruction ID: 606186e71bed308f0ef10e2d45c2c310fd72d5463febd778c8ac8f01630b2f81
                                                                                    • Opcode Fuzzy Hash: b6205002a79a0bbb6733dc6aca4bd67fc8304f377ed872b06c746f22fc280754
                                                                                    • Instruction Fuzzy Hash: E931C631B1891D4FFB94EB5C94A56EDB3D1FF98311B4401BAE04DD3396DE699C818780
                                                                                    Function 00007FFD34661725 Relevance: .1, Instructions: 123COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3ac67ba28d31c96d5d123109a2c31c2e5f1c98269c84718eb4797f3a9b3e0833
                                                                                    • Instruction ID: 9f8c41c0c5b81fa5fa2d7bb9a944e42fd17f9ca95d4b4ce3bb8ff4881243f634
                                                                                    • Opcode Fuzzy Hash: 3ac67ba28d31c96d5d123109a2c31c2e5f1c98269c84718eb4797f3a9b3e0833
                                                                                    • Instruction Fuzzy Hash: C731263170D6961FE71AAB2898B25F63BE5EF4732071400BEE18DC7593DE1DB8428391
                                                                                    Function 00007FFD3466B8FB Relevance: .1, Instructions: 122COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8d2dfe1bc2b6cecc88ef3012f1b4b260f186a509821fef03f180faf348ce7098
                                                                                    • Instruction ID: 4cb6b44805a5e8987365a02099df5755e292efa4ae2205553dd8654c74f327d4
                                                                                    • Opcode Fuzzy Hash: 8d2dfe1bc2b6cecc88ef3012f1b4b260f186a509821fef03f180faf348ce7098
                                                                                    • Instruction Fuzzy Hash: 6B414C71A08A4C8FDB58EF98D495BEEBBF1FB99310F00416ED00DE3251DA74A485CB41
                                                                                    Function 00007FFD34660498 Relevance: .1, Instructions: 117COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ed8d36e901112f33559567c648bed9419cc619faaaa0518c33712cdb676d3d9b
                                                                                    • Instruction ID: 8af5cf4fdac0dbc371e28c34f900435feaa63fcdf7b3f91a14ee2e3e081ae64f
                                                                                    • Opcode Fuzzy Hash: ed8d36e901112f33559567c648bed9419cc619faaaa0518c33712cdb676d3d9b
                                                                                    • Instruction Fuzzy Hash: 7E31B33171C91A4FEA58EA1CE4A59F577D1FF5A32175000BDE18EC7292DE19FC828380
                                                                                    Function 00007FFD3466C72D Relevance: .1, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5f432831720deabd28e4eb8956d9ecfb99252f6e453f1c8cba66b292b1823224
                                                                                    • Instruction ID: fc24d6d72dbbe08355389728c8f55e676516517dc8c861060fa782bcf81f3602
                                                                                    • Opcode Fuzzy Hash: 5f432831720deabd28e4eb8956d9ecfb99252f6e453f1c8cba66b292b1823224
                                                                                    • Instruction Fuzzy Hash: 7621C962B0DE9E0FEB95EA6C54A52F93BD1EF9A220B54017BD54DC31D1DE1C9C015381
                                                                                    Function 00007FFD34669C85 Relevance: .1, Instructions: 87COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6144b4894762a5ed1cbe7092ab26c6adc9e11782adbd1f7bb449d59670ef5651
                                                                                    • Instruction ID: f58c90188df973833814f741865be5e244c53483774bf3909d5a945ae16e7159
                                                                                    • Opcode Fuzzy Hash: 6144b4894762a5ed1cbe7092ab26c6adc9e11782adbd1f7bb449d59670ef5651
                                                                                    • Instruction Fuzzy Hash: 6E210792B0DB990FE395DA3C48A91B4BFD1EF9626174801FBD88DC72E3DC5CA8098351
                                                                                    Function 00007FFD3466A32D Relevance: .1, Instructions: 87COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3616e569553f181bd3df06e4e22db9a84250bacc5cd46bd8f467bdb354a7d7e6
                                                                                    • Instruction ID: 5e0fe60bc7361f7238297bb238f4b3cb3c6fed813a09cde1b0c0a7a3a6e1d58c
                                                                                    • Opcode Fuzzy Hash: 3616e569553f181bd3df06e4e22db9a84250bacc5cd46bd8f467bdb354a7d7e6
                                                                                    • Instruction Fuzzy Hash: 0B213A32E0DAD54FF3659AAC5CB61F47F90EF67210F0801BBD589DA193E95DAC848342
                                                                                    Function 00007FFD3467106A Relevance: .1, Instructions: 80COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 81900599fe5a646d60d4e0399479a0255b5603e8958a172f3f258ef0c77bf49d
                                                                                    • Instruction ID: 88016b2f69a46a4b7e652e41dd1f5c89a44eed0ec41e7c3f24362dd0143757f9
                                                                                    • Opcode Fuzzy Hash: 81900599fe5a646d60d4e0399479a0255b5603e8958a172f3f258ef0c77bf49d
                                                                                    • Instruction Fuzzy Hash: 67210026F189AA4AF7B09A284CA22F97BD1EF57350F1481B7C61CC7683DD1C281A6681
                                                                                    Function 00007FFD3466E07A Relevance: .1, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ac1335dbce5c5f7e5ddc4d51bdf060ad457f311342eb81a1aeee739f2b14294d
                                                                                    • Instruction ID: a94e0df761166d9fa40bae8b12f846a74ca2294e45b91627c98a18d20e3cbdef
                                                                                    • Opcode Fuzzy Hash: ac1335dbce5c5f7e5ddc4d51bdf060ad457f311342eb81a1aeee739f2b14294d
                                                                                    • Instruction Fuzzy Hash: D621C231E1C5AE4EF7B19A6488712FDBAE1EF97320F4401B6D55CC3583DD1C29196A81
                                                                                    Function 00007FFD34666ACD Relevance: .1, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1ae26b793c2cc732329827eab320fdc35d2b647a2e235424dd838608a4ef3189
                                                                                    • Instruction ID: 16e9f83add1d149af4a8f77172d34985375e394a5fa027b421a5ab0dd367123b
                                                                                    • Opcode Fuzzy Hash: 1ae26b793c2cc732329827eab320fdc35d2b647a2e235424dd838608a4ef3189
                                                                                    • Instruction Fuzzy Hash: EA116D7160D7810FE3409B2464652FB7FD4EF82324F4480BBD589CB193DE2D94419342
                                                                                    Function 00007FFD346698D8 Relevance: .1, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 66d50a39d5ee499afabd12ccf2724bbf54b9ea2d9828fc610ac623dbe578d051
                                                                                    • Instruction ID: 21faecf55c841cd0d143e961f7161f7a1e00b118900636dfa2cb4edb58bc46a4
                                                                                    • Opcode Fuzzy Hash: 66d50a39d5ee499afabd12ccf2724bbf54b9ea2d9828fc610ac623dbe578d051
                                                                                    • Instruction Fuzzy Hash: 89119032F1896E49F7B4AA68D8A12FEB2D5EF9B330F440136D61DD3582DD1C391A3981
                                                                                    Function 00007FFD3466DFE1 Relevance: .1, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: df4c68611758dd333fb46a3c45b3cc3ee74992b6445a43a4493a57e56c19f5e9
                                                                                    • Instruction ID: a2b3200e40cb9167c7e25dcdff7c6aaf09a0b0f26fdb172d0d4be05561511527
                                                                                    • Opcode Fuzzy Hash: df4c68611758dd333fb46a3c45b3cc3ee74992b6445a43a4493a57e56c19f5e9
                                                                                    • Instruction Fuzzy Hash: AD11273290D6D61FE7159A3098A68EA7BD0EF82330F4406BFE185DB0E2D95D66568382
                                                                                    Function 00007FFD34663CF9 Relevance: .1, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5497ee1724417be7c836aa8e8a4eea72eca1d33a4d97e3707a755c12862e3424
                                                                                    • Instruction ID: 52ed23fbcbe0280a46d43ed259d8c644622be45fff018f408ca6581e3f2e8f87
                                                                                    • Opcode Fuzzy Hash: 5497ee1724417be7c836aa8e8a4eea72eca1d33a4d97e3707a755c12862e3424
                                                                                    • Instruction Fuzzy Hash: 1D110172E0CA5D0FEB81EF1888965ED7BF1FB9A320B040177D509C7292DE2C98048381
                                                                                    Function 00007FFD3466D9F1 Relevance: .1, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d00b572fbba42f6f99fa36f9da754760b05609a9bbb8af9227844569e782ca18
                                                                                    • Instruction ID: d3b1fe1f277ecf113dbb2fff68e65c875a014fcadd610c7c684f64b4c42ef7c1
                                                                                    • Opcode Fuzzy Hash: d00b572fbba42f6f99fa36f9da754760b05609a9bbb8af9227844569e782ca18
                                                                                    • Instruction Fuzzy Hash: 0E01F13254DA950FD3529B2498625E67BE0EB82330F0907BBE189D70A3DE9E5946C3C2
                                                                                    Function 00007FFD3466FA99 Relevance: .1, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f1ef480933d4e7c46c96cbb84ddc004c6ca9d8bca204cb97abbea81a5393f4d2
                                                                                    • Instruction ID: 3f1c0243dda3a528121d7ef0efd91ea6c4817f468d6327f56b9bd45abcd01e27
                                                                                    • Opcode Fuzzy Hash: f1ef480933d4e7c46c96cbb84ddc004c6ca9d8bca204cb97abbea81a5393f4d2
                                                                                    • Instruction Fuzzy Hash: 7701D452B1DAE54FE75AAB6884B11F9BB90EF9A22170541FBD08DC71D3D91C6C058341
                                                                                    Function 00007FFD34670FDE Relevance: .1, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 627a47fc2d2067b5e52868457b3546889f158f1f17959fad6cf22eb947db7ff3
                                                                                    • Instruction ID: a1deda0f862ef3df49b47c3d34689fb300e5379bee0ed2e7451fff59bf3a082c
                                                                                    • Opcode Fuzzy Hash: 627a47fc2d2067b5e52868457b3546889f158f1f17959fad6cf22eb947db7ff3
                                                                                    • Instruction Fuzzy Hash: 6E11252250DBD50FF3268A309C655D67FE1AF82220F0842BBD195DB1E2DD5CA54983A2
                                                                                    Function 00007FFD34660BED Relevance: .0, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5974a42cde2e7886de1e312b7f91d02f5514b5362c110b264d4a076d6ca0fed0
                                                                                    • Instruction ID: b287bedaaa310f47e56ad50a1b5c6c5b35c8b08e6acd15ced9c49a03ff70cb5b
                                                                                    • Opcode Fuzzy Hash: 5974a42cde2e7886de1e312b7f91d02f5514b5362c110b264d4a076d6ca0fed0
                                                                                    • Instruction Fuzzy Hash: 87F0F652A0EA940FF7559B6844753B87BD1EBD7310F0901FAD109CA1D3DF5C1D825381
                                                                                    Function 00007FFD34663D49 Relevance: .0, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 62c7b3b83ff5b7ea9585902278003bb63182cca8194c789751241b0575bae31b
                                                                                    • Instruction ID: b544bbb2ca7a38c65c1f55ac79ad3fd2a5761560e8bdf1a2c5a2e101911a6df0
                                                                                    • Opcode Fuzzy Hash: 62c7b3b83ff5b7ea9585902278003bb63182cca8194c789751241b0575bae31b
                                                                                    • Instruction Fuzzy Hash: 8CF03C32F0881E4FABC4EA4C94926FD73E2EBD9260B540176D11ED3282CE2CA8429380
                                                                                    Function 00007FFD34663D7F Relevance: .0, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8fa939a7408d1d2fbc8bddc034cc0dd7022447e4660bc8cab0be9ca6e6e75627
                                                                                    • Instruction ID: ea1d56f7de1026326227bbeebb9e38bc5459a337ab1ee1df4fcafb6fd675a59c
                                                                                    • Opcode Fuzzy Hash: 8fa939a7408d1d2fbc8bddc034cc0dd7022447e4660bc8cab0be9ca6e6e75627
                                                                                    • Instruction Fuzzy Hash: FBF03C32F0881E4FEBC4EA4C94926FD73E2EBD9260B540176D11ED3282CE2CA8429380
                                                                                    Function 00007FFD34663D64 Relevance: .0, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7a9facef25295fa9a4adf4f6177aa7590da8bb325fc14c4d1f0909bef27a48ac
                                                                                    • Instruction ID: a11dd6d3258e86733eebf35958694a190757330f8f3d7b30a5a11c8770bf6986
                                                                                    • Opcode Fuzzy Hash: 7a9facef25295fa9a4adf4f6177aa7590da8bb325fc14c4d1f0909bef27a48ac
                                                                                    • Instruction Fuzzy Hash: 88F03131F1881E4FEB84EA4C94916FD73E2FBD9261B540176D11DD3281CE2C58419380
                                                                                    Function 00007FFD34664B8A Relevance: .0, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0c53abb3d42e4f04d244a0c048cecc08a6cfae6b0e1599aca3ed79511ed0644e
                                                                                    • Instruction ID: 758d077a4a1964ad41afd9a64b63a861471e364e288a5a49d415ca5ee59d0358
                                                                                    • Opcode Fuzzy Hash: 0c53abb3d42e4f04d244a0c048cecc08a6cfae6b0e1599aca3ed79511ed0644e
                                                                                    • Instruction Fuzzy Hash: 70016230714E098FE788EB1C84A4695B3D2FB993017948164D08EC7355CF79FC828741
                                                                                    Function 00007FFD34663D9A Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 59cdf60cb3d064d4fe828c3080c397a103ebe26b8211880e7ec2e4bc811ded62
                                                                                    • Instruction ID: a496676498a95b38b9336b4afe1dd802f2084572f5cd039735877fcc24f9065e
                                                                                    • Opcode Fuzzy Hash: 59cdf60cb3d064d4fe828c3080c397a103ebe26b8211880e7ec2e4bc811ded62
                                                                                    • Instruction Fuzzy Hash: FDF03732B0881E4FAB84EA4C94966FDB3E2EBD8261B440176D11DD3292CE2CA8428380
                                                                                    Function 00007FFD34668B39 Relevance: .0, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7978837e2e7ea71a07c24719fa36eb4b4e826e3bff49ef8ced06d645db3a3219
                                                                                    • Instruction ID: 1690fdad959fd2d3fd0308003e8ddfd5f6afeb0b48086e3f0a40c9bad9e4fc1e
                                                                                    • Opcode Fuzzy Hash: 7978837e2e7ea71a07c24719fa36eb4b4e826e3bff49ef8ced06d645db3a3219
                                                                                    • Instruction Fuzzy Hash: A4F06871A0E7E80FD7525B781C5D0EA7FF4EE5B221B0901BBD548D71A3D91908158391
                                                                                    Function 00007FFD34671D6F Relevance: .0, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5c3759b8ffcaefb9cb2c831b7885fa8e1e27c182e021e904b9ffdccd1d3de7f7
                                                                                    • Instruction ID: 7786abcf77e893be8a1b8bf0f178e4d55b6074abc44897d1d14b3b3617d5dc18
                                                                                    • Opcode Fuzzy Hash: 5c3759b8ffcaefb9cb2c831b7885fa8e1e27c182e021e904b9ffdccd1d3de7f7
                                                                                    • Instruction Fuzzy Hash: 9CF0463260991C8FEB50EE089C546F53BD1FF5A328F04012BE05DC3181DB79A812CB04
                                                                                    Function 00007FFD34668E90 Relevance: .0, Instructions: 40COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e8a598c8157dfad0872c1fce7c64e23b11a331fe55868df8b4c760406ccc5058
                                                                                    • Instruction ID: d59f609d35a7d304efb11316ef175cb599e9fee493bdfb2ff332a5c7471698fd
                                                                                    • Opcode Fuzzy Hash: e8a598c8157dfad0872c1fce7c64e23b11a331fe55868df8b4c760406ccc5058
                                                                                    • Instruction Fuzzy Hash: 34F01D5290F7E10EE72B1B7428B51A03F705F53220B0E14EBC5C9DA0E3D40C68889363
                                                                                    Function 00007FFD3466A3AD Relevance: .0, Instructions: 38COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 980a84c2987649ecaa95ff2f3b86a175ca1c178ca7de53ba00954079cfa905df
                                                                                    • Instruction ID: 0f3dbc76cd6c32cae06049d46f7f27bfbf55de28b9ca51e25cab958bd4e70279
                                                                                    • Opcode Fuzzy Hash: 980a84c2987649ecaa95ff2f3b86a175ca1c178ca7de53ba00954079cfa905df
                                                                                    • Instruction Fuzzy Hash: 1AF04935A19B494FF360DB588CA92E87FA1FF46300F4000BAD54CD3191EA3CA8148301
                                                                                    Function 00007FFD34666AC8 Relevance: .0, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1880706bcb7d933e906b6bbbb8e1f5cb082a66144abb3b7d4e11749877f9abad
                                                                                    • Instruction ID: c380c2aaf775b815a127616103433a7271de4c3c2b7c8ac7c1728f2f77989990
                                                                                    • Opcode Fuzzy Hash: 1880706bcb7d933e906b6bbbb8e1f5cb082a66144abb3b7d4e11749877f9abad
                                                                                    • Instruction Fuzzy Hash: A8F0E270A1C7040BE384EB38A4593BB7AD0EB88358F50593EF88EC3295DE39D8800742
                                                                                    Function 00007FFD34668E79 Relevance: .0, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ec63a5a72bcf199493fcbaefdc3640007822d22491dc5798073be89874673d63
                                                                                    • Instruction ID: 0ebbb3dbb881262890d246fd590646220be4e1bd275ee5e8f87302d2ebe8c702
                                                                                    • Opcode Fuzzy Hash: ec63a5a72bcf199493fcbaefdc3640007822d22491dc5798073be89874673d63
                                                                                    • Instruction Fuzzy Hash: 03F08942F0F5710AFB785D7D28A52F855C0DB51220F092077D59CD61D2D84D6CC41281
                                                                                    Function 00007FFD34668AE5 Relevance: .0, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f6a6cc980daebbcff1fd1f55483e956142eebff4d2d3f6fa2a9029148f3fedff
                                                                                    • Instruction ID: 6fbe00cf19b3c864959bae77de2201a3e229f8421679e0ff63eb13965dbcfb19
                                                                                    • Opcode Fuzzy Hash: f6a6cc980daebbcff1fd1f55483e956142eebff4d2d3f6fa2a9029148f3fedff
                                                                                    • Instruction Fuzzy Hash: 48F0E252B4F6D10FD7558A3C08B41E42E819FA6360B8950FEC548CB293D84D88048300
                                                                                    Function 00007FFD34668B00 Relevance: .0, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0d52425c96ee03728d1f751da1928d24ad2ab735161a76afef5afb1c6b7a04ca
                                                                                    • Instruction ID: 28a5bee7c06d2d02714dd3cbb6369c0123424792a56b92fc53f6b48c91bd5489
                                                                                    • Opcode Fuzzy Hash: 0d52425c96ee03728d1f751da1928d24ad2ab735161a76afef5afb1c6b7a04ca
                                                                                    • Instruction Fuzzy Hash: CCE07200B5AC8A0BE74CAE3E0CA12F430C38B8A2A0FC89036D50CC32E2EC0DDC840285
                                                                                    Function 00007FFD3466B8BB Relevance: .0, Instructions: 20COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3078b86ebefed12933cb42556607fd7d7ba8dbd7446e281765dfae7a8712fc9a
                                                                                    • Instruction ID: 062f3a6c5daa86e571716d5133d00d2c37626040b92527f394382fc8594ce4cb
                                                                                    • Opcode Fuzzy Hash: 3078b86ebefed12933cb42556607fd7d7ba8dbd7446e281765dfae7a8712fc9a
                                                                                    • Instruction Fuzzy Hash: D1E08635D1854C5AEF10BF7484D94ED7FE0EF55310F4000AAEA19C2041EE3C96544B41
                                                                                    Function 00007FFD346715A1 Relevance: .0, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 61721a911a9d33a7c7e69765725523f9b4ac8410da8d4b8a348f6340d6cf57ae
                                                                                    • Instruction ID: 652d8da79e489a3a39ccf89ede0c09361b679a8a5fc41ce244196f0344dcda90
                                                                                    • Opcode Fuzzy Hash: 61721a911a9d33a7c7e69765725523f9b4ac8410da8d4b8a348f6340d6cf57ae
                                                                                    • Instruction Fuzzy Hash: BAD0C732F1C4354DE9646B443CA25FCFA41DF47225B508177D30EC12C1DD4D251035C1

                                                                                    Non-executed Functions

                                                                                    Function 00007FFD34668220 Relevance: 15.2, Strings: 12, Instructions: 212COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.4604030860.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd34660000_OrionAscension.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (o4$(o4$8o4$8o4$@o4$Ho4$Po4$Xo4$Xo4$ho4$ho4$xo4
                                                                                    • API String ID: 0-2540299201
                                                                                    • Opcode ID: e307bed20ac90eac98288ae2dd5cb8eb9cf9aeae0b68685994fb7e0d11fabaf2
                                                                                    • Instruction ID: 7af046e75a951cee6713f400064088a56e052e4ebad51f0d9e9508e9e858dc0e
                                                                                    • Opcode Fuzzy Hash: e307bed20ac90eac98288ae2dd5cb8eb9cf9aeae0b68685994fb7e0d11fabaf2
                                                                                    • Instruction Fuzzy Hash: CD51B553B0FAE10BF7615DBC6CB11FD5E90EF5326871811BBD6C89A0DBE80DAD099281