Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Order_12232024.exe

Overview

General Information

Sample name:Order_12232024.exe
Analysis ID:1579851
MD5:ff80002015c1c3e3b18aab780227940e
SHA1:a9af963334a77fb0abdd0f6f3a8b2fce6f33663e
SHA256:8ef455d1383249717a5d6215a98c176da08d5cf9f2d70f6d3ea24368b36b00c5
Tags:exeMassLoggeruser-julianmckein
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • Order_12232024.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\Order_12232024.exe" MD5: FF80002015C1C3E3B18AAB780227940E)
    • powershell.exe (PID: 7448 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_12232024.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qIDGekPXala.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7908 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7532 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIDGekPXala" /XML "C:\Users\user\AppData\Local\Temp\tmp7D27.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Order_12232024.exe (PID: 7708 cmdline: "C:\Users\user\Desktop\Order_12232024.exe" MD5: FF80002015C1C3E3B18AAB780227940E)
    • Order_12232024.exe (PID: 7716 cmdline: "C:\Users\user\Desktop\Order_12232024.exe" MD5: FF80002015C1C3E3B18AAB780227940E)
  • qIDGekPXala.exe (PID: 7824 cmdline: C:\Users\user\AppData\Roaming\qIDGekPXala.exe MD5: FF80002015C1C3E3B18AAB780227940E)
    • schtasks.exe (PID: 8036 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIDGekPXala" /XML "C:\Users\user\AppData\Local\Temp\tmp9061.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • qIDGekPXala.exe (PID: 8080 cmdline: "C:\Users\user\AppData\Roaming\qIDGekPXala.exe" MD5: FF80002015C1C3E3B18AAB780227940E)
  • cleanup
{"EXfil Mode": "SMTP", "From": "kingnovasend@zqamcx.com", "Password": "Anambraeast", "Server": "zqamcx.com", "To": "kingnovaresult@zqamcx.com", "Port": 587}
SourceRuleDescriptionAuthorStrings
00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0xefa7:$a1: get_encryptedPassword
        • 0xf2cf:$a2: get_encryptedUsername
        • 0xed42:$a3: get_timePasswordChanged
        • 0xee63:$a4: get_passwordField
        • 0xefbd:$a5: set_encryptedPassword
        • 0x10919:$a7: get_logins
        • 0x105ca:$a8: GetOutlookPasswords
        • 0x103bc:$a9: StartKeylogger
        • 0x10869:$a10: KeyLoggerEventArgs
        • 0x10419:$a11: KeyLoggerEventArgsEventHandler
        00000000.00000002.1722150488.00000000042F9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          Click to see the 20 entries
          SourceRuleDescriptionAuthorStrings
          0.2.Order_12232024.exe.43af188.2.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            0.2.Order_12232024.exe.43af188.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.Order_12232024.exe.43af188.2.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                0.2.Order_12232024.exe.43af188.2.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0xd3a7:$a1: get_encryptedPassword
                • 0xd6cf:$a2: get_encryptedUsername
                • 0xd142:$a3: get_timePasswordChanged
                • 0xd263:$a4: get_passwordField
                • 0xd3bd:$a5: set_encryptedPassword
                • 0xed19:$a7: get_logins
                • 0xe9ca:$a8: GetOutlookPasswords
                • 0xe7bc:$a9: StartKeylogger
                • 0xec69:$a10: KeyLoggerEventArgs
                • 0xe819:$a11: KeyLoggerEventArgsEventHandler
                0.2.Order_12232024.exe.43af188.2.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x1234b:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x11849:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x11b57:$a4: \Orbitum\User Data\Default\Login Data
                • 0x1294f:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 14 entries

                System Summary

                barindex
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_12232024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_12232024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Order_12232024.exe", ParentImage: C:\Users\user\Desktop\Order_12232024.exe, ParentProcessId: 7256, ParentProcessName: Order_12232024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_12232024.exe", ProcessId: 7448, ProcessName: powershell.exe
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_12232024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_12232024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Order_12232024.exe", ParentImage: C:\Users\user\Desktop\Order_12232024.exe, ParentProcessId: 7256, ParentProcessName: Order_12232024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_12232024.exe", ProcessId: 7448, ProcessName: powershell.exe
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIDGekPXala" /XML "C:\Users\user\AppData\Local\Temp\tmp9061.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIDGekPXala" /XML "C:\Users\user\AppData\Local\Temp\tmp9061.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\qIDGekPXala.exe, ParentImage: C:\Users\user\AppData\Roaming\qIDGekPXala.exe, ParentProcessId: 7824, ParentProcessName: qIDGekPXala.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIDGekPXala" /XML "C:\Users\user\AppData\Local\Temp\tmp9061.tmp", ProcessId: 8036, ProcessName: schtasks.exe
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIDGekPXala" /XML "C:\Users\user\AppData\Local\Temp\tmp7D27.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIDGekPXala" /XML "C:\Users\user\AppData\Local\Temp\tmp7D27.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Order_12232024.exe", ParentImage: C:\Users\user\Desktop\Order_12232024.exe, ParentProcessId: 7256, ParentProcessName: Order_12232024.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIDGekPXala" /XML "C:\Users\user\AppData\Local\Temp\tmp7D27.tmp", ProcessId: 7532, ProcessName: schtasks.exe
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_12232024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_12232024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Order_12232024.exe", ParentImage: C:\Users\user\Desktop\Order_12232024.exe, ParentProcessId: 7256, ParentProcessName: Order_12232024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_12232024.exe", ProcessId: 7448, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIDGekPXala" /XML "C:\Users\user\AppData\Local\Temp\tmp7D27.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIDGekPXala" /XML "C:\Users\user\AppData\Local\Temp\tmp7D27.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Order_12232024.exe", ParentImage: C:\Users\user\Desktop\Order_12232024.exe, ParentProcessId: 7256, ParentProcessName: Order_12232024.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIDGekPXala" /XML "C:\Users\user\AppData\Local\Temp\tmp7D27.tmp", ProcessId: 7532, ProcessName: schtasks.exe
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T12:19:06.309912+010028032742Potentially Bad Traffic192.168.2.449735193.122.130.080TCP
                2024-12-23T12:19:10.619690+010028032742Potentially Bad Traffic192.168.2.449739193.122.130.080TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: Order_12232024.exeAvira: detected
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeAvira: detection malicious, Label: HEUR/AGEN.1304597
                Source: 0.2.Order_12232024.exe.43af188.2.raw.unpackMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "kingnovasend@zqamcx.com", "Password": "Anambraeast", "Server": "zqamcx.com", "To": "kingnovaresult@zqamcx.com", "Port": 587}
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeReversingLabs: Detection: 60%
                Source: Order_12232024.exeReversingLabs: Detection: 60%
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeJoe Sandbox ML: detected
                Source: Order_12232024.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Order_12232024.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49737 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49740 version: TLS 1.0
                Source: Order_12232024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 4x nop then jmp 07E0D513h0_2_07E0CCCA
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 4x nop then jmp 00D29731h9_2_00D29480
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 4x nop then jmp 00D29E5Ah9_2_00D29A40
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 4x nop then jmp 00D29E5Ah9_2_00D29A30
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 4x nop then jmp 00D29E5Ah9_2_00D29D87
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 4x nop then jmp 079AC3ABh10_2_079ABB62
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 4x nop then jmp 02CE9731h14_2_02CE9480
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 4x nop then jmp 02CE9E5Ah14_2_02CE9A40
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 4x nop then jmp 02CE9E5Ah14_2_02CE9A30
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 4x nop then jmp 02CE9E5Ah14_2_02CE9D87
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                Source: Joe Sandbox ViewIP Address: 172.67.177.134 172.67.177.134
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49735 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49739 -> 193.122.130.0:80
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49737 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49740 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: Order_12232024.exe, 00000009.00000002.2933772587.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: Order_12232024.exe, 00000009.00000002.2933772587.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                Source: Order_12232024.exe, 00000009.00000002.2933772587.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, Order_12232024.exe, 00000009.00000002.2933772587.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002ECC000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: Order_12232024.exe, 00000009.00000002.2933772587.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: Order_12232024.exe, 00000009.00000002.2933772587.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                Source: Order_12232024.exe, 00000000.00000002.1722150488.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Order_12232024.exe, 00000000.00000002.1722150488.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, Order_12232024.exe, 00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: Order_12232024.exe, 00000009.00000002.2933772587.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                Source: Order_12232024.exe, qIDGekPXala.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: Order_12232024.exe, qIDGekPXala.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: Order_12232024.exe, qIDGekPXala.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                Source: Order_12232024.exe, 00000009.00000002.2933772587.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: Order_12232024.exe, 00000009.00000002.2933772587.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                Source: Order_12232024.exe, 00000009.00000002.2933772587.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Order_12232024.exe, 00000000.00000002.1721618455.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name2L
                Source: qIDGekPXala.exe, 0000000A.00000002.1771806524.0000000003331000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameX
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: Order_12232024.exe, 00000000.00000002.1722150488.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Order_12232024.exe, 00000000.00000002.1722150488.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, Order_12232024.exe, 00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                Source: Order_12232024.exe, 00000009.00000002.2933772587.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: Order_12232024.exe, 00000000.00000002.1722150488.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Order_12232024.exe, 00000000.00000002.1722150488.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, Order_12232024.exe, 00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Order_12232024.exe, 00000009.00000002.2933772587.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: Order_12232024.exe, 00000009.00000002.2933772587.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                Source: Order_12232024.exe, 00000009.00000002.2933772587.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                Source: Order_12232024.exe, qIDGekPXala.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Source: 0.2.Order_12232024.exe.43af188.2.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                Source: 0.2.Order_12232024.exe.4311ae8.3.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode

                System Summary

                barindex
                Source: 0.2.Order_12232024.exe.43af188.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Order_12232024.exe.43af188.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.Order_12232024.exe.4311ae8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Order_12232024.exe.4311ae8.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.Order_12232024.exe.4311ae8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Order_12232024.exe.4311ae8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.Order_12232024.exe.43af188.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.1722150488.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.1722150488.0000000004348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: Order_12232024.exe PID: 7256, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: Order_12232024.exe PID: 7716, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: initial sampleStatic PE information: Filename: Order_12232024.exe
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 0_2_07961DE80_2_07961DE8
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 0_2_079649480_2_07964948
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 0_2_07E097E80_2_07E097E8
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 0_2_07E0F7B00_2_07E0F7B0
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 0_2_07E086A00_2_07E086A0
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 0_2_07E0869E0_2_07E0869E
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 0_2_07E072890_2_07E07289
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 0_2_07E072980_2_07E07298
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 0_2_07E06E600_2_07E06E60
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 0_2_07E06E500_2_07E06E50
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 0_2_07E06A280_2_07E06A28
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 0_2_07E0C9EA0_2_07E0C9EA
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 9_2_00D2C5309_2_00D2C530
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 9_2_00D227B99_2_00D227B9
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 9_2_00D22DD19_2_00D22DD1
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 9_2_00D294809_2_00D29480
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 9_2_00D2C5219_2_00D2C521
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 9_2_00D2946F9_2_00D2946F
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 10_2_079A97E810_2_079A97E8
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 10_2_079A868F10_2_079A868F
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 10_2_079A86A010_2_079A86A0
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 10_2_079A729810_2_079A7298
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 10_2_079A728910_2_079A7289
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 10_2_079A6E5010_2_079A6E50
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 10_2_079A6E6010_2_079A6E60
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 10_2_079A6A2810_2_079A6A28
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 10_2_079AE95010_2_079AE950
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 10_2_079AB88210_2_079AB882
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 14_2_02CEC53014_2_02CEC530
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 14_2_02CE948014_2_02CE9480
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 14_2_02CEC52114_2_02CEC521
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 14_2_02CE2DD114_2_02CE2DD1
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 14_2_02CE946F14_2_02CE946F
                Source: Order_12232024.exeStatic PE information: invalid certificate
                Source: Order_12232024.exe, 00000000.00000002.1722150488.0000000004348000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs Order_12232024.exe
                Source: Order_12232024.exe, 00000000.00000002.1722150488.0000000004348000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Order_12232024.exe
                Source: Order_12232024.exe, 00000000.00000002.1738026373.0000000007C4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXRaN.exe" vs Order_12232024.exe
                Source: Order_12232024.exe, 00000000.00000002.1722150488.00000000042F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs Order_12232024.exe
                Source: Order_12232024.exe, 00000000.00000002.1721618455.00000000032F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs Order_12232024.exe
                Source: Order_12232024.exe, 00000000.00000002.1721618455.000000000330B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs Order_12232024.exe
                Source: Order_12232024.exe, 00000000.00000002.1728559747.0000000005B70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs Order_12232024.exe
                Source: Order_12232024.exe, 00000000.00000002.1739469919.0000000007F30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Order_12232024.exe
                Source: Order_12232024.exe, 00000000.00000000.1682116916.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXRaN.exe" vs Order_12232024.exe
                Source: Order_12232024.exe, 00000000.00000002.1719696655.00000000014AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Order_12232024.exe
                Source: Order_12232024.exe, 00000009.00000002.2931538216.0000000000AF7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Order_12232024.exe
                Source: Order_12232024.exeBinary or memory string: OriginalFilenameXRaN.exe" vs Order_12232024.exe
                Source: Order_12232024.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.Order_12232024.exe.43af188.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Order_12232024.exe.43af188.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.Order_12232024.exe.4311ae8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Order_12232024.exe.4311ae8.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.Order_12232024.exe.4311ae8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Order_12232024.exe.4311ae8.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.Order_12232024.exe.43af188.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.1722150488.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.1722150488.0000000004348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: Order_12232024.exe PID: 7256, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: Order_12232024.exe PID: 7716, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Order_12232024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: qIDGekPXala.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.Order_12232024.exe.43af188.2.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.Order_12232024.exe.43af188.2.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.Order_12232024.exe.4311ae8.3.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.Order_12232024.exe.4311ae8.3.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, s4YrvVpETYpis0QEZK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, cSk6sh7oJaRRpSMWDG.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, cSk6sh7oJaRRpSMWDG.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, cSk6sh7oJaRRpSMWDG.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, s4YrvVpETYpis0QEZK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, cSk6sh7oJaRRpSMWDG.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, cSk6sh7oJaRRpSMWDG.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, cSk6sh7oJaRRpSMWDG.csSecurity API names: _0020.AddAccessRule
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/15@2/2
                Source: C:\Users\user\Desktop\Order_12232024.exeFile created: C:\Users\user\AppData\Roaming\qIDGekPXala.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
                Source: C:\Users\user\Desktop\Order_12232024.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7D27.tmpJump to behavior
                Source: Order_12232024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Order_12232024.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                Source: C:\Users\user\Desktop\Order_12232024.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Order_12232024.exe, 00000009.00000002.2933772587.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, Order_12232024.exe, 00000009.00000002.2933772587.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp, Order_12232024.exe, 00000009.00000002.2933772587.0000000002B2E000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002F5C000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002F4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Order_12232024.exeReversingLabs: Detection: 60%
                Source: C:\Users\user\Desktop\Order_12232024.exeFile read: C:\Users\user\Desktop\Order_12232024.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Order_12232024.exe "C:\Users\user\Desktop\Order_12232024.exe"
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_12232024.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qIDGekPXala.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIDGekPXala" /XML "C:\Users\user\AppData\Local\Temp\tmp7D27.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess created: C:\Users\user\Desktop\Order_12232024.exe "C:\Users\user\Desktop\Order_12232024.exe"
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess created: C:\Users\user\Desktop\Order_12232024.exe "C:\Users\user\Desktop\Order_12232024.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\qIDGekPXala.exe C:\Users\user\AppData\Roaming\qIDGekPXala.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIDGekPXala" /XML "C:\Users\user\AppData\Local\Temp\tmp9061.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess created: C:\Users\user\AppData\Roaming\qIDGekPXala.exe "C:\Users\user\AppData\Roaming\qIDGekPXala.exe"
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_12232024.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qIDGekPXala.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIDGekPXala" /XML "C:\Users\user\AppData\Local\Temp\tmp7D27.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess created: C:\Users\user\Desktop\Order_12232024.exe "C:\Users\user\Desktop\Order_12232024.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess created: C:\Users\user\Desktop\Order_12232024.exe "C:\Users\user\Desktop\Order_12232024.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIDGekPXala" /XML "C:\Users\user\AppData\Local\Temp\tmp9061.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess created: C:\Users\user\AppData\Roaming\qIDGekPXala.exe "C:\Users\user\AppData\Roaming\qIDGekPXala.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: rasapi32.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: rasman.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: rtutils.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: dhcpcsvc.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: secur32.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeSection loaded: dpapi.dll
                Source: C:\Users\user\Desktop\Order_12232024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Order_12232024.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Order_12232024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Order_12232024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, cSk6sh7oJaRRpSMWDG.cs.Net Code: RfTvgfqX45 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, cSk6sh7oJaRRpSMWDG.cs.Net Code: RfTvgfqX45 System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 0_2_07E0C6E0 push esp; iretd 0_2_07E0C6E1
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 0_2_07E0B549 push eax; retf 0_2_07E0B54A
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 0_2_07E064DE pushfd ; retf 0_2_07E064E8
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 0_2_07E0647D pushfd ; retf 0_2_07E06488
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 0_2_07E0643C pushfd ; retf 0_2_07E0643D
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 9_2_00D2B3A8 push eax; iretd 9_2_00D2B445
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 9_2_00D23493 push ebx; retf 9_2_00D2349A
                Source: C:\Users\user\Desktop\Order_12232024.exeCode function: 9_2_00D2BB37 push es; iretd 9_2_00D2BB44
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 10_2_079A5C49 push 5D043376h; ret 10_2_079A5C6F
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 10_2_079ACA10 push esp; iretd 10_2_079ACA11
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeCode function: 14_2_02CE3493 push ebx; iretd 14_2_02CE349A
                Source: Order_12232024.exeStatic PE information: section name: .text entropy: 7.341969643106022
                Source: qIDGekPXala.exe.0.drStatic PE information: section name: .text entropy: 7.341969643106022
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, tbCsXLSGKXZ3YgpwHd.csHigh entropy of concatenated method names: 'j3yIpkEJIP', 'FK9IrCBl30', 'QqfIV3v02M', 't4tIZF0DsS', 'ad1Ik64HO7', 'cAZIuU2Noq', 'IkGItjqZiD', 'iTiINpOsyL', 'DaYIG1oPxY', 'YdaI2vqZrn'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, s4YrvVpETYpis0QEZK.csHigh entropy of concatenated method names: 'KH2fQnrGa9', 'pvqfORgEYS', 'w7lf69tgtV', 'S9wfE4Dc2k', 'MHofyAw13x', 'wCXfAxtfb1', 'MrgfssWRyv', 'xuJfb6SMiN', 'blgfcMZjMs', 'T3efaLbVWk'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, lyyshItx7OoYp21nqt.csHigh entropy of concatenated method names: 'obYR1AIr1I', 'IA5RHtg4Jg', 'JuuRYS6KnW', 'FbhYaldGhJ', 'LB7YzrowBm', 'MQPRhYPRV8', 'DyMRerLsLO', 'qT7RxjJy4Z', 'YR1R0VkX3P', 'qOURvi9qKo'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, RpxDgkVGY39aOENR0n.csHigh entropy of concatenated method names: 'LMcYDYo0F9', 'ToXYf4VCFM', 'YIHYTQ6haj', 'EpWYRQpyxU', 'uKDY71ptob', 'akeTysQ0mM', 'mC6TAVAEOX', 'wIVTsEhu3Y', 'E70Tb1vvYU', 'VK5TcCPdkP'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, yl93fgQeDxDAkOis5D.csHigh entropy of concatenated method names: 'Hh75Gx1A1C', 'Q0d5JbBbTo', 'DR75QmlKGw', 'Iiu5Ogfrym', 'ADj5Z1ZtQA', 'qTo5oMAaqH', 'HJr5k1nNRX', 'gWY5u2oxSl', 'UHU5q953NO', 'jlU5toV0Qr'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, Vf7ySrr7hKEQQYED6m.csHigh entropy of concatenated method names: 'CqAHdE0t6D', 'gd1HU9a9WW', 'UN7HpaHQGP', 'd8FHrfJnMD', 'JatH5kOcHC', 'rFgHBlIZBy', 'yGuHnE8BN1', 'F4pHwfHZPY', 'Y4MHMDlefe', 'tvMHCjXdBj'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, Y4dAdAeetcWjnZgfUR1.csHigh entropy of concatenated method names: 'JfqCashngh', 'cWPCzu1tWy', 'OTamhZLy4p', 'gbcmeDqTnp', 'TGemxpRpJj', 'I49m0sQQBu', 'HxmmvO1v4s', 'lsqmDmRSgA', 'AhKm18Ukb0', 'V6Wmf9XLTF'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, iJBNc491L7qQKsWkpg.csHigh entropy of concatenated method names: 'buGRKbryqn', 'L5oRFMPwJS', 'EcPRg4mKC2', 'SMTRdAwlsH', 'h2lRPmnQ1B', 'h8ZRUfM2aN', 'w1BR4IkeEG', 'IDfRpt3yIB', 'g1yRrfDvpC', 'VLHR3AeIkx'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, z92RccxSfOi7Gw5yPm.csHigh entropy of concatenated method names: 'ErcgotxMb', 'qFEd5T3RR', 'GHkU58JG1', 'uP24DLDI2', 'jmQrVJXy5', 'XKH3R4iYg', 'xVxfUVJ9wUpfrWRHwo', 'T3dgOc4bwMM79gjN3f', 'qyYwH6xAt', 'MuwCqA4Re'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, Hh0U2qsdB0SvoCuhKv.csHigh entropy of concatenated method names: 'paoM5h7FdQ', 'visMnPbwxY', 'aZFMMMdlIg', 'GBWMmpWlMS', 'LpqMXfLntS', 'Bu7MjaZa7E', 'Dispose', 'jVKw1gYsPc', 'Of2wf0rMVN', 'qsMwHtarda'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, RCG2u165GoEp39SPmf.csHigh entropy of concatenated method names: 'ToString', 'rjIB2vGmcd', 'bKxBZgoGCP', 'hjxBo8dMfC', 'pMXBkvWMyx', 'HJUBuTNBRr', 'Q5vBqZuxkH', 'psoBtytwrP', 'GGeBNAhfCy', 'OTaB9Hl8qP'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, jDJ4bdcxxxKmysVQ7F.csHigh entropy of concatenated method names: 'J32MVAWhA9', 'HQaMZOSJDP', 'D3bMoy54JE', 'u2YMkLDYJr', 'w6EMuUPtT1', 'Be2MqSlEWM', 'fd6MtLNqZP', 'QnIMN17CRI', 'gIAM9IlaVD', 'e1vMGLSGno'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, t8soR3AK3jcO1Cafhm.csHigh entropy of concatenated method names: 'C6Tnbtp8wq', 'chQnad0awE', 'TgUwhDbIRr', 'a4ZweWPx0n', 'tUWn2cKTZa', 'IO7nJu6PME', 'vVNnS1IaEB', 'zkRnQgwCpY', 'hB5nOI45eI', 'zk5n6siZm6'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, rpHlk234soRKA7GVnt.csHigh entropy of concatenated method names: 'qSGTPChDeG', 'S6NT4yFGck', 'TeBHoJTeM2', 'm5XHk4lL3C', 'h4JHuNhyM9', 'WMpHqLmtVr', 'sq8Ht9orAU', 'k3gHNZdn9H', 'sC4H91ZQg4', 'F6rHGBPBX2'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, cSk6sh7oJaRRpSMWDG.csHigh entropy of concatenated method names: 'qav0DvVEOe', 'klS01SgGkC', 'yUY0fhuZ4F', 'Qus0HBQwRg', 'aNP0TnAMPc', 'Cic0Y2dMxk', 'FEY0RB7aYe', 'SQY07mGlxA', 'eRw0LXguUb', 'yIR0ig3l2E'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, wYfrMtvYhu62uw1MAR.csHigh entropy of concatenated method names: 'mrCeR4YrvV', 'TTYe7pis0Q', 'E7heiKEQQY', 'TD6e8mMpHl', 'kGVe5ntOpx', 'egkeBGY39a', 'BJuwscH6WjsER0YMaO', 'RKXqBX6e0ogWlHvJfE', 'XDkeemUlS6', 'CG0e0N7Afs'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, fqylAbevEpiHuoFdIOL.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'P5SWMBiVIo', 'esUWCM2wKM', 'I7MWm5bXuk', 'tjFWWYf5fs', 'EnLWXAYKEF', 'IiGWliQl5A', 'dIUWjjMnb4'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, LLCmwaeh8s2KiFfWx1o.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'D9UC2GtWr3', 'O2ICJaW3LH', 'fhnCSrqSSK', 'YpsCQ8prdx', 'F9pCO3poqr', 'd36C6PNe2i', 'DGJCEZRowH'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, s2juWQzPcqDsYm53Vd.csHigh entropy of concatenated method names: 'HZBCUumSDM', 'IjlCpTVaNR', 'Jt1CrqWKhK', 'KVZCV5DSo4', 'GMSCZ7dsM2', 'vkKCk5mF8N', 'v3iCuTSmVg', 'QjoCjt6Ghu', 'ufqCKeJsUX', 'qk5CFhh942'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, mIf5duf9UgGRCA6nur.csHigh entropy of concatenated method names: 'Dispose', 'dSvecoCuhK', 'kmjxZeD3Ry', 'pmZZGXdZML', 'eUheal1M7I', 'QrFezpFBgt', 'ProcessDialogKey', 'x2RxhDJ4bd', 'bxxxeKmysV', 'Q7FxxvyhqN'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, dyhqNladfYina4vJI6.csHigh entropy of concatenated method names: 'hGgCHo4JMp', 'BF9CTEYD8X', 'eAACY4vfIl', 'oWnCR7uGJt', 'OOKCMLestV', 'CcuC7RIRo3', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Order_12232024.exe.7f30000.5.raw.unpack, ENNIyBE0frneorTC83.csHigh entropy of concatenated method names: 'ou6niUFWqT', 'Aa4n83hskp', 'ToString', 'i5On1WnyM9', 'Jd4nfenZsb', 'oqLnHmBfDd', 't2knT1SKq6', 's0DnYnoE2T', 'awynRNSwXN', 'AH1n7Ua0NN'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, tbCsXLSGKXZ3YgpwHd.csHigh entropy of concatenated method names: 'j3yIpkEJIP', 'FK9IrCBl30', 'QqfIV3v02M', 't4tIZF0DsS', 'ad1Ik64HO7', 'cAZIuU2Noq', 'IkGItjqZiD', 'iTiINpOsyL', 'DaYIG1oPxY', 'YdaI2vqZrn'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, s4YrvVpETYpis0QEZK.csHigh entropy of concatenated method names: 'KH2fQnrGa9', 'pvqfORgEYS', 'w7lf69tgtV', 'S9wfE4Dc2k', 'MHofyAw13x', 'wCXfAxtfb1', 'MrgfssWRyv', 'xuJfb6SMiN', 'blgfcMZjMs', 'T3efaLbVWk'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, lyyshItx7OoYp21nqt.csHigh entropy of concatenated method names: 'obYR1AIr1I', 'IA5RHtg4Jg', 'JuuRYS6KnW', 'FbhYaldGhJ', 'LB7YzrowBm', 'MQPRhYPRV8', 'DyMRerLsLO', 'qT7RxjJy4Z', 'YR1R0VkX3P', 'qOURvi9qKo'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, RpxDgkVGY39aOENR0n.csHigh entropy of concatenated method names: 'LMcYDYo0F9', 'ToXYf4VCFM', 'YIHYTQ6haj', 'EpWYRQpyxU', 'uKDY71ptob', 'akeTysQ0mM', 'mC6TAVAEOX', 'wIVTsEhu3Y', 'E70Tb1vvYU', 'VK5TcCPdkP'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, yl93fgQeDxDAkOis5D.csHigh entropy of concatenated method names: 'Hh75Gx1A1C', 'Q0d5JbBbTo', 'DR75QmlKGw', 'Iiu5Ogfrym', 'ADj5Z1ZtQA', 'qTo5oMAaqH', 'HJr5k1nNRX', 'gWY5u2oxSl', 'UHU5q953NO', 'jlU5toV0Qr'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, Vf7ySrr7hKEQQYED6m.csHigh entropy of concatenated method names: 'CqAHdE0t6D', 'gd1HU9a9WW', 'UN7HpaHQGP', 'd8FHrfJnMD', 'JatH5kOcHC', 'rFgHBlIZBy', 'yGuHnE8BN1', 'F4pHwfHZPY', 'Y4MHMDlefe', 'tvMHCjXdBj'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, Y4dAdAeetcWjnZgfUR1.csHigh entropy of concatenated method names: 'JfqCashngh', 'cWPCzu1tWy', 'OTamhZLy4p', 'gbcmeDqTnp', 'TGemxpRpJj', 'I49m0sQQBu', 'HxmmvO1v4s', 'lsqmDmRSgA', 'AhKm18Ukb0', 'V6Wmf9XLTF'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, iJBNc491L7qQKsWkpg.csHigh entropy of concatenated method names: 'buGRKbryqn', 'L5oRFMPwJS', 'EcPRg4mKC2', 'SMTRdAwlsH', 'h2lRPmnQ1B', 'h8ZRUfM2aN', 'w1BR4IkeEG', 'IDfRpt3yIB', 'g1yRrfDvpC', 'VLHR3AeIkx'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, z92RccxSfOi7Gw5yPm.csHigh entropy of concatenated method names: 'ErcgotxMb', 'qFEd5T3RR', 'GHkU58JG1', 'uP24DLDI2', 'jmQrVJXy5', 'XKH3R4iYg', 'xVxfUVJ9wUpfrWRHwo', 'T3dgOc4bwMM79gjN3f', 'qyYwH6xAt', 'MuwCqA4Re'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, Hh0U2qsdB0SvoCuhKv.csHigh entropy of concatenated method names: 'paoM5h7FdQ', 'visMnPbwxY', 'aZFMMMdlIg', 'GBWMmpWlMS', 'LpqMXfLntS', 'Bu7MjaZa7E', 'Dispose', 'jVKw1gYsPc', 'Of2wf0rMVN', 'qsMwHtarda'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, RCG2u165GoEp39SPmf.csHigh entropy of concatenated method names: 'ToString', 'rjIB2vGmcd', 'bKxBZgoGCP', 'hjxBo8dMfC', 'pMXBkvWMyx', 'HJUBuTNBRr', 'Q5vBqZuxkH', 'psoBtytwrP', 'GGeBNAhfCy', 'OTaB9Hl8qP'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, jDJ4bdcxxxKmysVQ7F.csHigh entropy of concatenated method names: 'J32MVAWhA9', 'HQaMZOSJDP', 'D3bMoy54JE', 'u2YMkLDYJr', 'w6EMuUPtT1', 'Be2MqSlEWM', 'fd6MtLNqZP', 'QnIMN17CRI', 'gIAM9IlaVD', 'e1vMGLSGno'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, t8soR3AK3jcO1Cafhm.csHigh entropy of concatenated method names: 'C6Tnbtp8wq', 'chQnad0awE', 'TgUwhDbIRr', 'a4ZweWPx0n', 'tUWn2cKTZa', 'IO7nJu6PME', 'vVNnS1IaEB', 'zkRnQgwCpY', 'hB5nOI45eI', 'zk5n6siZm6'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, rpHlk234soRKA7GVnt.csHigh entropy of concatenated method names: 'qSGTPChDeG', 'S6NT4yFGck', 'TeBHoJTeM2', 'm5XHk4lL3C', 'h4JHuNhyM9', 'WMpHqLmtVr', 'sq8Ht9orAU', 'k3gHNZdn9H', 'sC4H91ZQg4', 'F6rHGBPBX2'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, cSk6sh7oJaRRpSMWDG.csHigh entropy of concatenated method names: 'qav0DvVEOe', 'klS01SgGkC', 'yUY0fhuZ4F', 'Qus0HBQwRg', 'aNP0TnAMPc', 'Cic0Y2dMxk', 'FEY0RB7aYe', 'SQY07mGlxA', 'eRw0LXguUb', 'yIR0ig3l2E'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, wYfrMtvYhu62uw1MAR.csHigh entropy of concatenated method names: 'mrCeR4YrvV', 'TTYe7pis0Q', 'E7heiKEQQY', 'TD6e8mMpHl', 'kGVe5ntOpx', 'egkeBGY39a', 'BJuwscH6WjsER0YMaO', 'RKXqBX6e0ogWlHvJfE', 'XDkeemUlS6', 'CG0e0N7Afs'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, fqylAbevEpiHuoFdIOL.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'P5SWMBiVIo', 'esUWCM2wKM', 'I7MWm5bXuk', 'tjFWWYf5fs', 'EnLWXAYKEF', 'IiGWliQl5A', 'dIUWjjMnb4'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, LLCmwaeh8s2KiFfWx1o.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'D9UC2GtWr3', 'O2ICJaW3LH', 'fhnCSrqSSK', 'YpsCQ8prdx', 'F9pCO3poqr', 'd36C6PNe2i', 'DGJCEZRowH'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, s2juWQzPcqDsYm53Vd.csHigh entropy of concatenated method names: 'HZBCUumSDM', 'IjlCpTVaNR', 'Jt1CrqWKhK', 'KVZCV5DSo4', 'GMSCZ7dsM2', 'vkKCk5mF8N', 'v3iCuTSmVg', 'QjoCjt6Ghu', 'ufqCKeJsUX', 'qk5CFhh942'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, mIf5duf9UgGRCA6nur.csHigh entropy of concatenated method names: 'Dispose', 'dSvecoCuhK', 'kmjxZeD3Ry', 'pmZZGXdZML', 'eUheal1M7I', 'QrFezpFBgt', 'ProcessDialogKey', 'x2RxhDJ4bd', 'bxxxeKmysV', 'Q7FxxvyhqN'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, dyhqNladfYina4vJI6.csHigh entropy of concatenated method names: 'hGgCHo4JMp', 'BF9CTEYD8X', 'eAACY4vfIl', 'oWnCR7uGJt', 'OOKCMLestV', 'CcuC7RIRo3', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Order_12232024.exe.44c99c8.1.raw.unpack, ENNIyBE0frneorTC83.csHigh entropy of concatenated method names: 'ou6niUFWqT', 'Aa4n83hskp', 'ToString', 'i5On1WnyM9', 'Jd4nfenZsb', 'oqLnHmBfDd', 't2knT1SKq6', 's0DnYnoE2T', 'awynRNSwXN', 'AH1n7Ua0NN'
                Source: C:\Users\user\Desktop\Order_12232024.exeFile created: C:\Users\user\AppData\Roaming\qIDGekPXala.exeJump to dropped file

                Boot Survival

                barindex
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIDGekPXala" /XML "C:\Users\user\AppData\Local\Temp\tmp7D27.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Source: Yara matchFile source: Process Memory Space: Order_12232024.exe PID: 7256, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: qIDGekPXala.exe PID: 7824, type: MEMORYSTR
                Source: C:\Users\user\Desktop\Order_12232024.exeMemory allocated: 3100000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeMemory allocated: 32F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeMemory allocated: 52F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeMemory allocated: 9690000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeMemory allocated: 8090000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeMemory allocated: A690000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeMemory allocated: B690000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeMemory allocated: D20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeMemory allocated: 2A50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeMemory allocated: 2850000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeMemory allocated: 18E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeMemory allocated: 3330000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeMemory allocated: 3150000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeMemory allocated: 8E60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeMemory allocated: 9E60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeMemory allocated: A050000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeMemory allocated: B050000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeMemory allocated: 2CE0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeMemory allocated: 2E60000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeMemory allocated: 2D00000 memory reserve | memory write watch
                Source: C:\Users\user\Desktop\Order_12232024.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7040Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9216Jump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exe TID: 7276Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7572Thread sleep count: 7040 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7552Thread sleep count: 321 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7772Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7684Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7800Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exe TID: 7916Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Order_12232024.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: qIDGekPXala.exe, 0000000A.00000002.1768949873.0000000001562000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: qIDGekPXala.exe, 0000000E.00000002.2931662881.0000000000F95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
                Source: Order_12232024.exe, 00000009.00000002.2932731874.0000000000D96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: 0.2.Order_12232024.exe.43af188.2.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                Source: 0.2.Order_12232024.exe.43af188.2.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                Source: 0.2.Order_12232024.exe.43af188.2.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_12232024.exe"
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qIDGekPXala.exe"
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_12232024.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qIDGekPXala.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeMemory written: C:\Users\user\Desktop\Order_12232024.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeMemory written: C:\Users\user\AppData\Roaming\qIDGekPXala.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_12232024.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qIDGekPXala.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIDGekPXala" /XML "C:\Users\user\AppData\Local\Temp\tmp7D27.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess created: C:\Users\user\Desktop\Order_12232024.exe "C:\Users\user\Desktop\Order_12232024.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeProcess created: C:\Users\user\Desktop\Order_12232024.exe "C:\Users\user\Desktop\Order_12232024.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIDGekPXala" /XML "C:\Users\user\AppData\Local\Temp\tmp9061.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeProcess created: C:\Users\user\AppData\Roaming\qIDGekPXala.exe "C:\Users\user\AppData\Roaming\qIDGekPXala.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Users\user\Desktop\Order_12232024.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Users\user\Desktop\Order_12232024.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Order_12232024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeQueries volume information: C:\Users\user\AppData\Roaming\qIDGekPXala.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeQueries volume information: C:\Users\user\AppData\Roaming\qIDGekPXala.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\Order_12232024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 0.2.Order_12232024.exe.43af188.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Order_12232024.exe.4311ae8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Order_12232024.exe.4311ae8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Order_12232024.exe.43af188.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1722150488.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1722150488.0000000004348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Order_12232024.exe PID: 7256, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Order_12232024.exe PID: 7716, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.Order_12232024.exe.43af188.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Order_12232024.exe.4311ae8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Order_12232024.exe.4311ae8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Order_12232024.exe.43af188.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1722150488.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1722150488.0000000004348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Order_12232024.exe PID: 7256, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Order_12232024.exe PID: 7716, type: MEMORYSTR
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Users\user\Desktop\Order_12232024.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Users\user\AppData\Roaming\qIDGekPXala.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: Yara matchFile source: 0.2.Order_12232024.exe.43af188.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Order_12232024.exe.4311ae8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Order_12232024.exe.4311ae8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Order_12232024.exe.43af188.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1722150488.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1722150488.0000000004348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2933772587.0000000002B73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2933924383.0000000002F83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Order_12232024.exe PID: 7256, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Order_12232024.exe PID: 7716, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: qIDGekPXala.exe PID: 8080, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 0.2.Order_12232024.exe.43af188.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Order_12232024.exe.4311ae8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Order_12232024.exe.4311ae8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Order_12232024.exe.43af188.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1722150488.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1722150488.0000000004348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Order_12232024.exe PID: 7256, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Order_12232024.exe PID: 7716, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.Order_12232024.exe.43af188.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Order_12232024.exe.4311ae8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Order_12232024.exe.4311ae8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Order_12232024.exe.43af188.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1722150488.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1722150488.0000000004348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Order_12232024.exe PID: 7256, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Order_12232024.exe PID: 7716, type: MEMORYSTR
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API
                1
                DLL Side-Loading
                1
                DLL Side-Loading
                11
                Disable or Modify Tools
                1
                OS Credential Dumping
                1
                File and Directory Discovery
                Remote Services11
                Archive Collected Data
                1
                Ingress Tool Transfer
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Scheduled Task/Job
                1
                Scheduled Task/Job
                111
                Process Injection
                1
                Deobfuscate/Decode Files or Information
                1
                Input Capture
                13
                System Information Discovery
                Remote Desktop Protocol1
                Data from Local System
                11
                Encrypted Channel
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Scheduled Task/Job
                3
                Obfuscated Files or Information
                Security Account Manager1
                Query Registry
                SMB/Windows Admin Shares1
                Email Collection
                2
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                Software Packing
                NTDS11
                Security Software Discovery
                Distributed Component Object Model1
                Input Capture
                13
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading
                LSA Secrets1
                Process Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Masquerading
                Cached Domain Credentials31
                Virtualization/Sandbox Evasion
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                Virtualization/Sandbox Evasion
                DCSync1
                Application Window Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                Process Injection
                Proc Filesystem1
                System Network Configuration Discovery
                Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579851 Sample: Order_12232024.exe Startdate: 23/12/2024 Architecture: WINDOWS Score: 100 46 reallyfreegeoip.org 2->46 48 checkip.dyndns.org 2->48 50 checkip.dyndns.com 2->50 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 64 12 other signatures 2->64 8 Order_12232024.exe 7 2->8         started        12 qIDGekPXala.exe 5 2->12         started        signatures3 62 Tries to detect the country of the analysis system (by using the IP) 46->62 process4 file5 38 C:\Users\user\AppData\...\qIDGekPXala.exe, PE32 8->38 dropped 40 C:\Users\...\qIDGekPXala.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp7D27.tmp, XML 8->42 dropped 44 C:\Users\user\...\Order_12232024.exe.log, ASCII 8->44 dropped 66 Uses schtasks.exe or at.exe to add and modify task schedules 8->66 68 Adds a directory exclusion to Windows Defender 8->68 70 Injects a PE file into a foreign processes 8->70 14 powershell.exe 23 8->14         started        17 powershell.exe 23 8->17         started        19 Order_12232024.exe 15 2 8->19         started        26 2 other processes 8->26 72 Antivirus detection for dropped file 12->72 74 Multi AV Scanner detection for dropped file 12->74 76 Machine Learning detection for dropped file 12->76 22 qIDGekPXala.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 78 Loading BitLocker PowerShell Module 14->78 28 conhost.exe 14->28         started        30 WmiPrvSE.exe 14->30         started        32 conhost.exe 17->32         started        52 checkip.dyndns.com 193.122.130.0, 49735, 49739, 80 ORACLE-BMC-31898US United States 19->52 54 reallyfreegeoip.org 172.67.177.134, 443, 49737, 49740 CLOUDFLARENETUS United States 19->54 80 Tries to steal Mail credentials (via file / registry access) 22->80 82 Tries to harvest and steal browser information (history, passwords, etc) 22->82 34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        signatures9 process10

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                Order_12232024.exe61%ReversingLabsByteCode-MSIL.Trojan.Genie8DN
                Order_12232024.exe100%AviraHEUR/AGEN.1304597
                Order_12232024.exe100%Joe Sandbox ML
                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\qIDGekPXala.exe100%AviraHEUR/AGEN.1304597
                C:\Users\user\AppData\Roaming\qIDGekPXala.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\qIDGekPXala.exe61%ReversingLabsByteCode-MSIL.Trojan.Genie8DN
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                172.67.177.134
                truefalse
                  high
                  checkip.dyndns.com
                  193.122.130.0
                  truefalse
                    high
                    checkip.dyndns.org
                    unknown
                    unknownfalse
                      high
                      NameMaliciousAntivirus DetectionReputation
                      https://reallyfreegeoip.org/xml/8.46.123.189false
                        high
                        http://checkip.dyndns.org/false
                          high
                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.apache.org/licenses/LICENSE-2.0Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.fontbureau.comOrder_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.fontbureau.com/designersGOrder_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.fontbureau.com/designers/?Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.founder.com.cn/cn/bTheOrder_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.fontbureau.com/designers?Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://reallyfreegeoip.orgdOrder_12232024.exe, 00000009.00000002.2933772587.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://www.tiro.comOrder_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://checkip.dyndns.orgOrder_12232024.exe, 00000009.00000002.2933772587.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, Order_12232024.exe, 00000009.00000002.2933772587.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002ECC000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://www.fontbureau.com/designersOrder_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://www.goodfont.co.krOrder_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://www.chiark.greenend.org.uk/~sgtatham/putty/0Order_12232024.exe, qIDGekPXala.exe.0.drfalse
                                                  high
                                                  http://www.carterandcone.comlOrder_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://www.sajatypeworks.comOrder_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://www.typography.netDOrder_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://www.fontbureau.com/designers/cabarga.htmlNOrder_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://www.founder.com.cn/cn/cTheOrder_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://www.galapagosdesign.com/staff/dennis.htmOrder_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              http://www.founder.com.cn/cnOrder_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                http://www.fontbureau.com/designers/frere-user.htmlOrder_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://reallyfreegeoip.org/xml/8.46.123.189lOrder_12232024.exe, 00000009.00000002.2933772587.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://checkip.dyndns.comdOrder_12232024.exe, 00000009.00000002.2933772587.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://checkip.dyndns.org/qOrder_12232024.exe, 00000000.00000002.1722150488.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Order_12232024.exe, 00000000.00000002.1722150488.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, Order_12232024.exe, 00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://www.jiyu-kobo.co.jp/Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://reallyfreegeoip.org/xml/8.46.123.189dOrder_12232024.exe, 00000009.00000002.2933772587.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://reallyfreegeoip.orgOrder_12232024.exe, 00000009.00000002.2933772587.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://checkip.dyndns.orgdOrder_12232024.exe, 00000009.00000002.2933772587.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                http://www.galapagosdesign.com/DPleaseOrder_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://reallyfreegeoip.orgOrder_12232024.exe, 00000009.00000002.2933772587.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    http://www.fontbureau.com/designers8Order_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://www.fonts.comOrder_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://www.sandoll.co.krOrder_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          http://checkip.dyndns.comOrder_12232024.exe, 00000009.00000002.2933772587.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            http://www.urwpp.deDPleaseOrder_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              http://www.zhongyicts.com.cnOrder_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                http://checkip.dyndns.org/dOrder_12232024.exe, 00000009.00000002.2933772587.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameOrder_12232024.exe, 00000009.00000002.2933772587.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002E61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    http://www.sakkal.comOrder_12232024.exe, 00000000.00000002.1732435177.0000000007472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      https://api.telegram.org/bot-/sendDocument?chat_id=Order_12232024.exe, 00000000.00000002.1722150488.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Order_12232024.exe, 00000000.00000002.1722150488.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, Order_12232024.exe, 00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name2LOrder_12232024.exe, 00000000.00000002.1721618455.00000000032F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameXqIDGekPXala.exe, 0000000A.00000002.1771806524.0000000003331000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            https://reallyfreegeoip.org/xml/Order_12232024.exe, 00000000.00000002.1722150488.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Order_12232024.exe, 00000000.00000002.1722150488.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, Order_12232024.exe, 00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Order_12232024.exe, 00000009.00000002.2933772587.0000000002ACE000.00000004.00000800.00020000.00000000.sdmp, qIDGekPXala.exe, 0000000E.00000002.2933924383.0000000002EDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs
                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              193.122.130.0
                                                                                                              checkip.dyndns.comUnited States
                                                                                                              31898ORACLE-BMC-31898USfalse
                                                                                                              172.67.177.134
                                                                                                              reallyfreegeoip.orgUnited States
                                                                                                              13335CLOUDFLARENETUSfalse
                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                              Analysis ID:1579851
                                                                                                              Start date and time:2024-12-23 12:18:07 +01:00
                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                              Overall analysis duration:0h 7m 14s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:full
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                              Number of analysed new started processes analysed:19
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:0
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Sample name:Order_12232024.exe
                                                                                                              Detection:MAL
                                                                                                              Classification:mal100.troj.spyw.evad.winEXE@21/15@2/2
                                                                                                              EGA Information:
                                                                                                              • Successful, ratio: 50%
                                                                                                              HCA Information:
                                                                                                              • Successful, ratio: 99%
                                                                                                              • Number of executed functions: 143
                                                                                                              • Number of non-executed functions: 12
                                                                                                              Cookbook Comments:
                                                                                                              • Found application associated with file extension: .exe
                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                              • Excluded IPs from analysis (whitelisted): 23.218.208.109, 4.175.87.197, 13.107.246.63
                                                                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                              • Execution Graph export aborted for target Order_12232024.exe, PID 7716 because it is empty
                                                                                                              • Execution Graph export aborted for target qIDGekPXala.exe, PID 8080 because it is empty
                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                              • VT rate limit hit for: Order_12232024.exe
                                                                                                              TimeTypeDescription
                                                                                                              06:19:01API Interceptor2x Sleep call for process: Order_12232024.exe modified
                                                                                                              06:19:02API Interceptor45x Sleep call for process: powershell.exe modified
                                                                                                              06:19:06API Interceptor2x Sleep call for process: qIDGekPXala.exe modified
                                                                                                              11:19:04Task SchedulerRun new task: qIDGekPXala path: C:\Users\user\AppData\Roaming\qIDGekPXala.exe
                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              193.122.130.0rTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              dP5z8RpEyQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              ref_97024130865.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                              • checkip.dyndns.org/
                                                                                                              172.67.177.134rTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  YU SV Payment.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                    PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                      HUSDGHCE23ED.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                        66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                          RFQ December-January Forcast and TCL.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                            Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                              PK241200518-EMAIL RELEASE-pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                ugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  checkip.dyndns.comrTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 193.122.130.0
                                                                                                                                  Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 158.101.44.242
                                                                                                                                  Statement_3029_from_Cross_Traders_and_Logistics_ltd.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 158.101.44.242
                                                                                                                                  Invoice DHL - AWB 2024 E4001 - 0000731.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                  • 132.226.247.73
                                                                                                                                  Requested Documentation.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 158.101.44.242
                                                                                                                                  YU SV Payment.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 193.122.6.168
                                                                                                                                  PURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 132.226.247.73
                                                                                                                                  PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 193.122.6.168
                                                                                                                                  Overheaped237.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                  • 158.101.44.242
                                                                                                                                  HUSDGHCE23ED.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 158.101.44.242
                                                                                                                                  reallyfreegeoip.orgrTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  Statement_3029_from_Cross_Traders_and_Logistics_ltd.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 104.21.67.152
                                                                                                                                  Invoice DHL - AWB 2024 E4001 - 0000731.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                  • 104.21.67.152
                                                                                                                                  YU SV Payment.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  PURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 104.21.67.152
                                                                                                                                  PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  Overheaped237.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                  • 104.21.67.152
                                                                                                                                  HUSDGHCE23ED.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  ORACLE-BMC-31898USrTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 193.122.130.0
                                                                                                                                  nshkmips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                  • 132.145.36.70
                                                                                                                                  Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 158.101.44.242
                                                                                                                                  Statement_3029_from_Cross_Traders_and_Logistics_ltd.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 158.101.44.242
                                                                                                                                  nshkarm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                  • 140.238.15.102
                                                                                                                                  nshsh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                  • 140.238.98.44
                                                                                                                                  Requested Documentation.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 158.101.44.242
                                                                                                                                  YU SV Payment.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 193.122.6.168
                                                                                                                                  la.bot.sparc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                  • 168.138.95.8
                                                                                                                                  PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 193.122.6.168
                                                                                                                                  CLOUDFLARENETUSacronis recovery expert deluxe 1.0.0.132.rarl.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 104.21.35.89
                                                                                                                                  rTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  https://www.google.com.au/url?q=//www.google.co.nz/amp/s/synthchromal.ru/Vc51/Get hashmaliciousUnknownBrowse
                                                                                                                                  • 172.67.154.63
                                                                                                                                  https://a41c415c7bccad129d61b50d2032009e.aktive-senioren.biz/de/st/1?#bqcnl4tocgzq65tck3bvGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.21.92.223
                                                                                                                                  FBmz85HS0d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.150.173
                                                                                                                                  armv5l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                  • 1.8.230.191
                                                                                                                                  BJQizQ6sqT.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.150.173
                                                                                                                                  Ref#20203216.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                  • 104.26.13.205
                                                                                                                                  LNn56KMkEE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 104.21.66.86
                                                                                                                                  BVGvbpplT8.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                  • 104.21.66.86
                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  54328bd36c14bd82ddaa0c04b25ed9adrTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  Statement_3029_from_Cross_Traders_and_Logistics_ltd.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  Browser.Daemon.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  Browser.Daemon.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  Invoice DHL - AWB 2024 E4001 - 0000731.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  YU SV Payment.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  PURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  Overheaped237.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  No context
                                                                                                                                  Process:C:\Users\user\Desktop\Order_12232024.exe
                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):1216
                                                                                                                                  Entropy (8bit):5.34331486778365
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                  Malicious:true
                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02
                                                                                                                                  Process:C:\Users\user\AppData\Roaming\qIDGekPXala.exe
                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):1216
                                                                                                                                  Entropy (8bit):5.34331486778365
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):2232
                                                                                                                                  Entropy (8bit):5.380134126512796
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:48:+WSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//YPUyus:+LHxvIIwLgZ2KRHWLOugQs
                                                                                                                                  MD5:B75028F3C600C91EB705194C820F1D96
                                                                                                                                  SHA1:6E0C027EA2B7DE6F23D2BAFD5DC4E5741BFE8020
                                                                                                                                  SHA-256:6992662D841D633BB486A3A9057985293F693ED29FEEE5AAAA8EE1F97882D3D6
                                                                                                                                  SHA-512:D9C99CD10B1EEE2629039F1620821B97F70C1C141DBD79839B4C361655AE73FE870FB594351A9519A77291A5C0AF4DA686F7F5A1B6507077FB4109BD69B4A0DB
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):60
                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):60
                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):60
                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):60
                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):60
                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):60
                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):60
                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):60
                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                                  Process:C:\Users\user\Desktop\Order_12232024.exe
                                                                                                                                  File Type:XML 1.0 document, ASCII text
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):1577
                                                                                                                                  Entropy (8bit):5.113863429384537
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtafaxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTlv
                                                                                                                                  MD5:D395FAD0A5183A3617EA42BC99499D8E
                                                                                                                                  SHA1:95BE249B7DDEF98A11AC93711366A474F7B8212F
                                                                                                                                  SHA-256:EC33EA588C9B77A18C8E65C315AB4ECEC34AF336C2D82B908396F71A22D76788
                                                                                                                                  SHA-512:349FBD18EE357654A31365ADCD6C4B1F1F3FEFA6BF39C8A4C920A22A1F626C33C8746C2EB1FAF29F35FBCDE6FC2F00D4E2E3E3FF687DF2878058C8F1A9B43478
                                                                                                                                  Malicious:true
                                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail
                                                                                                                                  Process:C:\Users\user\AppData\Roaming\qIDGekPXala.exe
                                                                                                                                  File Type:XML 1.0 document, ASCII text
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):1577
                                                                                                                                  Entropy (8bit):5.113863429384537
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtafaxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTlv
                                                                                                                                  MD5:D395FAD0A5183A3617EA42BC99499D8E
                                                                                                                                  SHA1:95BE249B7DDEF98A11AC93711366A474F7B8212F
                                                                                                                                  SHA-256:EC33EA588C9B77A18C8E65C315AB4ECEC34AF336C2D82B908396F71A22D76788
                                                                                                                                  SHA-512:349FBD18EE357654A31365ADCD6C4B1F1F3FEFA6BF39C8A4C920A22A1F626C33C8746C2EB1FAF29F35FBCDE6FC2F00D4E2E3E3FF687DF2878058C8F1A9B43478
                                                                                                                                  Malicious:false
                                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail
                                                                                                                                  Process:C:\Users\user\Desktop\Order_12232024.exe
                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):671240
                                                                                                                                  Entropy (8bit):7.351724276299318
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:12288:gDkX1pKPO/DifyQjvZPyNZ36GlkwFRfpUYjpjyZ5hnkR:gAXaSRQjvMPzk4Ftjy5y
                                                                                                                                  MD5:FF80002015C1C3E3B18AAB780227940E
                                                                                                                                  SHA1:A9AF963334A77FB0ABDD0F6F3A8B2FCE6F33663E
                                                                                                                                  SHA-256:8EF455D1383249717A5D6215A98C176DA08D5CF9F2D70F6D3EA24368B36B00C5
                                                                                                                                  SHA-512:20B2551462D52C62AF4BC178FB3BC8F692803697E5AFE7114454E16574827103319011B08F4A32B552376469187523856C7785C1D5C2B85F3F188E96AAA6C851
                                                                                                                                  Malicious:true
                                                                                                                                  Antivirus:
                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                  • Antivirus: ReversingLabs, Detection: 61%
                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....hg..............0.................. ... ....@.. .......................`............@.....................................O.... ...................6...@....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........l...R...............\...........................................0............}......}.....(.......(......{...........%.r...p( ...s!....%.r...p( ...s!....%.r!..p( ...s!.......("....s2.....o0....s?.....s8.......o4......o>.....sD.....s;........+5~........(...+....($.......(...+....(%...o&...&...X......(...+......-....+0.~......(...+......................o@........X....~....(...+......-....+1.~......(...+.......................o@........X....~....(...+......-.....+/.~...
                                                                                                                                  Process:C:\Users\user\Desktop\Order_12232024.exe
                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):26
                                                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                  Malicious:true
                                                                                                                                  Preview:[ZoneTransfer]....ZoneId=0
                                                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                  Entropy (8bit):7.351724276299318
                                                                                                                                  TrID:
                                                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                  File name:Order_12232024.exe
                                                                                                                                  File size:671'240 bytes
                                                                                                                                  MD5:ff80002015c1c3e3b18aab780227940e
                                                                                                                                  SHA1:a9af963334a77fb0abdd0f6f3a8b2fce6f33663e
                                                                                                                                  SHA256:8ef455d1383249717a5d6215a98c176da08d5cf9f2d70f6d3ea24368b36b00c5
                                                                                                                                  SHA512:20b2551462d52c62af4bc178fb3bc8f692803697e5afe7114454e16574827103319011b08f4a32b552376469187523856c7785c1d5c2b85f3f188e96aaa6c851
                                                                                                                                  SSDEEP:12288:gDkX1pKPO/DifyQjvZPyNZ36GlkwFRfpUYjpjyZ5hnkR:gAXaSRQjvMPzk4Ftjy5y
                                                                                                                                  TLSH:E7E4F1785578D10EC46AA73586F3F27922742ECDAB01D2CF5BC86EEBB917B4548483C2
                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....hg..............0.................. ... ....@.. .......................`............@................................
                                                                                                                                  Icon Hash:90cececece8e8eb0
                                                                                                                                  Entrypoint:0x4a1cde
                                                                                                                                  Entrypoint Section:.text
                                                                                                                                  Digitally signed:true
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  Subsystem:windows gui
                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                  Time Stamp:0x6768D1BA [Mon Dec 23 02:58:02 2024 UTC]
                                                                                                                                  TLS Callbacks:
                                                                                                                                  CLR (.Net) Version:
                                                                                                                                  OS Version Major:4
                                                                                                                                  OS Version Minor:0
                                                                                                                                  File Version Major:4
                                                                                                                                  File Version Minor:0
                                                                                                                                  Subsystem Version Major:4
                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                                                                  Signature Valid:false
                                                                                                                                  Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                                                                                                  Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                  Error Number:-2146869232
                                                                                                                                  Not Before, Not After
                                                                                                                                  • 13/11/2018 00:00:00 08/11/2021 23:59:59
                                                                                                                                  Subject Chain
                                                                                                                                  • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                                                                                                  Version:3
                                                                                                                                  Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                                                                                                  Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                                                                                                  Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                                                                                                  Serial:7C1118CBBADC95DA3752C46E47A27438
                                                                                                                                  Instruction
                                                                                                                                  jmp dword ptr [00402000h]
                                                                                                                                  add dword ptr [eax], eax
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add al, byte ptr [eax]
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add al, 00h
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  or byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  adc byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  and byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  inc eax
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax+00000000h], al
                                                                                                                                  add dword ptr [eax], eax
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add al, byte ptr [eax]
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add al, 00h
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  or byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  adc byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  and byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  inc eax
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax+00530000h], al
                                                                                                                                  jns 00007F711D3F67F2h
                                                                                                                                  jnc 00007F711D3F67F2h
                                                                                                                                  je 00007F711D3F67F2h
                                                                                                                                  add byte ptr [ebp+00h], ch
                                                                                                                                  add byte ptr [edx+00h], dl
                                                                                                                                  add byte ptr [esi+00h], ah
                                                                                                                                  insb
                                                                                                                                  add byte ptr [ebp+00h], ah
                                                                                                                                  arpl word ptr [eax], ax
                                                                                                                                  je 00007F711D3F67F2h
                                                                                                                                  imul eax, dword ptr [eax], 006E006Fh
                                                                                                                                  add byte ptr [ecx+00h], al
                                                                                                                                  jnc 00007F711D3F67F2h
                                                                                                                                  jnc 00007F711D3F67F2h
                                                                                                                                  add byte ptr [ebp+00h], ch
                                                                                                                                  bound eax, dword ptr [eax]
                                                                                                                                  insb
                                                                                                                                  add byte ptr [ecx+00h], bh
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  dec esp
                                                                                                                                  add byte ptr [edi+00h], ch
                                                                                                                                  popad
                                                                                                                                  add byte ptr [eax+eax+00h], ah
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xa1c8c0x4f.text
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x59c.rsrc
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0xa08000x3608
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xa40000xc.reloc
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                  .text0x20000x9fd640x9fe00fc17038cce393cc8979d68d979f18057False0.761469837275215data7.341969643106022IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                  .rsrc0xa20000x59c0x6005dd2bf97a4bd31cabc5eb734073643d0False0.4147135416666667data4.097607656662409IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                  .reloc0xa40000xc0x200961c2294255dfe4c4a64a2e7e46ce924False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                  RT_VERSION0xa20900x30cdata0.4256410256410256
                                                                                                                                  RT_MANIFEST0xa23ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                                                                                                                  DLLImport
                                                                                                                                  mscoree.dll_CorExeMain
                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                  2024-12-23T12:19:06.309912+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449735193.122.130.080TCP
                                                                                                                                  2024-12-23T12:19:10.619690+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449739193.122.130.080TCP
                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Dec 23, 2024 12:19:04.172697067 CET4973580192.168.2.4193.122.130.0
                                                                                                                                  Dec 23, 2024 12:19:04.292599916 CET8049735193.122.130.0192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:04.292681932 CET4973580192.168.2.4193.122.130.0
                                                                                                                                  Dec 23, 2024 12:19:04.293034077 CET4973580192.168.2.4193.122.130.0
                                                                                                                                  Dec 23, 2024 12:19:04.412569046 CET8049735193.122.130.0192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:05.864809990 CET8049735193.122.130.0192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:05.879746914 CET4973580192.168.2.4193.122.130.0
                                                                                                                                  Dec 23, 2024 12:19:05.999444962 CET8049735193.122.130.0192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:06.218025923 CET8049735193.122.130.0192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:06.309911966 CET4973580192.168.2.4193.122.130.0
                                                                                                                                  Dec 23, 2024 12:19:06.372811079 CET49737443192.168.2.4172.67.177.134
                                                                                                                                  Dec 23, 2024 12:19:06.372858047 CET44349737172.67.177.134192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:06.373259068 CET49737443192.168.2.4172.67.177.134
                                                                                                                                  Dec 23, 2024 12:19:06.382251024 CET49737443192.168.2.4172.67.177.134
                                                                                                                                  Dec 23, 2024 12:19:06.382282972 CET44349737172.67.177.134192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:07.599890947 CET44349737172.67.177.134192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:07.599970102 CET49737443192.168.2.4172.67.177.134
                                                                                                                                  Dec 23, 2024 12:19:07.605110884 CET49737443192.168.2.4172.67.177.134
                                                                                                                                  Dec 23, 2024 12:19:07.605124950 CET44349737172.67.177.134192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:07.605473995 CET44349737172.67.177.134192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:07.661742926 CET49737443192.168.2.4172.67.177.134
                                                                                                                                  Dec 23, 2024 12:19:07.707355022 CET44349737172.67.177.134192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:08.064059019 CET44349737172.67.177.134192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:08.064110041 CET44349737172.67.177.134192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:08.064177036 CET49737443192.168.2.4172.67.177.134
                                                                                                                                  Dec 23, 2024 12:19:08.096026897 CET49737443192.168.2.4172.67.177.134
                                                                                                                                  Dec 23, 2024 12:19:08.929821968 CET4973980192.168.2.4193.122.130.0
                                                                                                                                  Dec 23, 2024 12:19:09.050159931 CET8049739193.122.130.0192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:09.050404072 CET4973980192.168.2.4193.122.130.0
                                                                                                                                  Dec 23, 2024 12:19:09.050683975 CET4973980192.168.2.4193.122.130.0
                                                                                                                                  Dec 23, 2024 12:19:09.170556068 CET8049739193.122.130.0192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:10.158560991 CET8049739193.122.130.0192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:10.162120104 CET4973980192.168.2.4193.122.130.0
                                                                                                                                  Dec 23, 2024 12:19:10.281733036 CET8049739193.122.130.0192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:10.480801105 CET8049739193.122.130.0192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:10.495054960 CET49740443192.168.2.4172.67.177.134
                                                                                                                                  Dec 23, 2024 12:19:10.495094061 CET44349740172.67.177.134192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:10.498034000 CET49740443192.168.2.4172.67.177.134
                                                                                                                                  Dec 23, 2024 12:19:10.502440929 CET49740443192.168.2.4172.67.177.134
                                                                                                                                  Dec 23, 2024 12:19:10.502464056 CET44349740172.67.177.134192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:10.619689941 CET4973980192.168.2.4193.122.130.0
                                                                                                                                  Dec 23, 2024 12:19:11.709743977 CET44349740172.67.177.134192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:11.709837914 CET49740443192.168.2.4172.67.177.134
                                                                                                                                  Dec 23, 2024 12:19:11.711448908 CET49740443192.168.2.4172.67.177.134
                                                                                                                                  Dec 23, 2024 12:19:11.711455107 CET44349740172.67.177.134192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:11.711707115 CET44349740172.67.177.134192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:11.759293079 CET49740443192.168.2.4172.67.177.134
                                                                                                                                  Dec 23, 2024 12:19:11.803329945 CET44349740172.67.177.134192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:12.159231901 CET44349740172.67.177.134192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:12.159303904 CET44349740172.67.177.134192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:12.159401894 CET49740443192.168.2.4172.67.177.134
                                                                                                                                  Dec 23, 2024 12:19:12.161961079 CET49740443192.168.2.4172.67.177.134
                                                                                                                                  Dec 23, 2024 12:20:11.361274004 CET8049735193.122.130.0192.168.2.4
                                                                                                                                  Dec 23, 2024 12:20:11.361401081 CET4973580192.168.2.4193.122.130.0
                                                                                                                                  Dec 23, 2024 12:20:15.484981060 CET8049739193.122.130.0192.168.2.4
                                                                                                                                  Dec 23, 2024 12:20:15.485060930 CET4973980192.168.2.4193.122.130.0
                                                                                                                                  Dec 23, 2024 12:20:46.230324984 CET4973580192.168.2.4193.122.130.0
                                                                                                                                  Dec 23, 2024 12:20:46.349946022 CET8049735193.122.130.0192.168.2.4
                                                                                                                                  Dec 23, 2024 12:20:50.548130035 CET4973980192.168.2.4193.122.130.0
                                                                                                                                  Dec 23, 2024 12:20:50.667766094 CET8049739193.122.130.0192.168.2.4
                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Dec 23, 2024 12:19:04.013787031 CET6085653192.168.2.41.1.1.1
                                                                                                                                  Dec 23, 2024 12:19:04.153727055 CET53608561.1.1.1192.168.2.4
                                                                                                                                  Dec 23, 2024 12:19:06.221936941 CET5697653192.168.2.41.1.1.1
                                                                                                                                  Dec 23, 2024 12:19:06.372011900 CET53569761.1.1.1192.168.2.4
                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                  Dec 23, 2024 12:19:04.013787031 CET192.168.2.41.1.1.10x972fStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                  Dec 23, 2024 12:19:06.221936941 CET192.168.2.41.1.1.10xdc95Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                  Dec 23, 2024 12:19:04.153727055 CET1.1.1.1192.168.2.40x972fNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                  Dec 23, 2024 12:19:04.153727055 CET1.1.1.1192.168.2.40x972fNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                  Dec 23, 2024 12:19:04.153727055 CET1.1.1.1192.168.2.40x972fNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                  Dec 23, 2024 12:19:04.153727055 CET1.1.1.1192.168.2.40x972fNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                  Dec 23, 2024 12:19:04.153727055 CET1.1.1.1192.168.2.40x972fNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                  Dec 23, 2024 12:19:04.153727055 CET1.1.1.1192.168.2.40x972fNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                  Dec 23, 2024 12:19:06.372011900 CET1.1.1.1192.168.2.40xdc95No error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                                                                                                  Dec 23, 2024 12:19:06.372011900 CET1.1.1.1192.168.2.40xdc95No error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                                                                                                  • reallyfreegeoip.org
                                                                                                                                  • checkip.dyndns.org
                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  0192.168.2.449735193.122.130.0807716C:\Users\user\Desktop\Order_12232024.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Dec 23, 2024 12:19:04.293034077 CET151OUTGET / HTTP/1.1
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Dec 23, 2024 12:19:05.864809990 CET321INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 23 Dec 2024 11:19:05 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 104
                                                                                                                                  Connection: keep-alive
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Request-ID: 3cc787158d88859dc72eaa0849c9023e
                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                  Dec 23, 2024 12:19:05.879746914 CET127OUTGET / HTTP/1.1
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                  Dec 23, 2024 12:19:06.218025923 CET321INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 23 Dec 2024 11:19:06 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 104
                                                                                                                                  Connection: keep-alive
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Request-ID: b7c782b72009f0981f60b2be9794aea1
                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  1192.168.2.449739193.122.130.0808080C:\Users\user\AppData\Roaming\qIDGekPXala.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Dec 23, 2024 12:19:09.050683975 CET151OUTGET / HTTP/1.1
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Dec 23, 2024 12:19:10.158560991 CET321INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 23 Dec 2024 11:19:10 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 104
                                                                                                                                  Connection: keep-alive
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Request-ID: 0b40b838d3d4f827f9ab0f2349449093
                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                  Dec 23, 2024 12:19:10.162120104 CET127OUTGET / HTTP/1.1
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                  Dec 23, 2024 12:19:10.480801105 CET321INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 23 Dec 2024 11:19:10 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 104
                                                                                                                                  Connection: keep-alive
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Request-ID: 35f95fa712d2f44c16622fd8aea3a2c1
                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  0192.168.2.449737172.67.177.1344437716C:\Users\user\Desktop\Order_12232024.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-23 11:19:07 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  2024-12-23 11:19:08 UTC856INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 23 Dec 2024 11:19:07 GMT
                                                                                                                                  Content-Type: text/xml
                                                                                                                                  Content-Length: 362
                                                                                                                                  Connection: close
                                                                                                                                  Age: 267537
                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                  cf-cache-status: HIT
                                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kVqLfMQqC4ZbBYA83LpOQ744j0tKde5OlE5g6nffmdZc82lgiSUncOXHqVdukJ0yUcLsXwv50YVbKb%2Bq5mJLW8CMxMOn0P1WFfHeZOBXBSmGQPDfC1%2FFvDzuf3%2FvH3%2FwD0MDoprF"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f67f4723ae38c47-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1802&min_rtt=1802&rtt_var=676&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1620421&cwnd=230&unsent_bytes=0&cid=657183bddc917a60&ts=479&x=0"
                                                                                                                                  2024-12-23 11:19:08 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  1192.168.2.449740172.67.177.1344438080C:\Users\user\AppData\Roaming\qIDGekPXala.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-23 11:19:11 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  2024-12-23 11:19:12 UTC858INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 23 Dec 2024 11:19:12 GMT
                                                                                                                                  Content-Type: text/xml
                                                                                                                                  Content-Length: 362
                                                                                                                                  Connection: close
                                                                                                                                  Age: 267541
                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                  cf-cache-status: HIT
                                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CbKZI0z0H0oHUASiOXSWhk%2BKhRHMOEkgxfSrYBRZQB8VNKTcRE7cF5IsQnyuOUMQgGTYf1Ds7WCm4FB7I%2BlTzM9nYd%2BaZTK%2BK7CgMGpxrLPRyFdGSDoZYRQp%2Ba74L7FJ41BWPzIz"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f67f48be81241e6-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1608&min_rtt=1602&rtt_var=613&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1765417&cwnd=182&unsent_bytes=0&cid=cd1a7bf6478f53e1&ts=453&x=0"
                                                                                                                                  2024-12-23 11:19:12 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                  Click to jump to process

                                                                                                                                  Click to jump to process

                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                  Click to jump to process

                                                                                                                                  Target ID:0
                                                                                                                                  Start time:06:18:59
                                                                                                                                  Start date:23/12/2024
                                                                                                                                  Path:C:\Users\user\Desktop\Order_12232024.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Users\user\Desktop\Order_12232024.exe"
                                                                                                                                  Imagebase:0xf80000
                                                                                                                                  File size:671'240 bytes
                                                                                                                                  MD5 hash:FF80002015C1C3E3B18AAB780227940E
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1722150488.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1722150488.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1722150488.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1722150488.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                  • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1722150488.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1722150488.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1722150488.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1722150488.0000000004348000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                  Reputation:low
                                                                                                                                  Has exited:true

                                                                                                                                  Target ID:2
                                                                                                                                  Start time:06:19:01
                                                                                                                                  Start date:23/12/2024
                                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_12232024.exe"
                                                                                                                                  Imagebase:0x5c0000
                                                                                                                                  File size:433'152 bytes
                                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  Target ID:3
                                                                                                                                  Start time:06:19:01
                                                                                                                                  Start date:23/12/2024
                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                  File size:862'208 bytes
                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  Target ID:4
                                                                                                                                  Start time:06:19:01
                                                                                                                                  Start date:23/12/2024
                                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qIDGekPXala.exe"
                                                                                                                                  Imagebase:0x5c0000
                                                                                                                                  File size:433'152 bytes
                                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  Target ID:5
                                                                                                                                  Start time:06:19:01
                                                                                                                                  Start date:23/12/2024
                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                  File size:862'208 bytes
                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  Target ID:6
                                                                                                                                  Start time:06:19:02
                                                                                                                                  Start date:23/12/2024
                                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIDGekPXala" /XML "C:\Users\user\AppData\Local\Temp\tmp7D27.tmp"
                                                                                                                                  Imagebase:0xa10000
                                                                                                                                  File size:187'904 bytes
                                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  Target ID:7
                                                                                                                                  Start time:06:19:02
                                                                                                                                  Start date:23/12/2024
                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                  File size:862'208 bytes
                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  Target ID:8
                                                                                                                                  Start time:06:19:02
                                                                                                                                  Start date:23/12/2024
                                                                                                                                  Path:C:\Users\user\Desktop\Order_12232024.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Users\user\Desktop\Order_12232024.exe"
                                                                                                                                  Imagebase:0x590000
                                                                                                                                  File size:671'240 bytes
                                                                                                                                  MD5 hash:FF80002015C1C3E3B18AAB780227940E
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:low
                                                                                                                                  Has exited:true

                                                                                                                                  Target ID:9
                                                                                                                                  Start time:06:19:02
                                                                                                                                  Start date:23/12/2024
                                                                                                                                  Path:C:\Users\user\Desktop\Order_12232024.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Users\user\Desktop\Order_12232024.exe"
                                                                                                                                  Imagebase:0x640000
                                                                                                                                  File size:671'240 bytes
                                                                                                                                  MD5 hash:FF80002015C1C3E3B18AAB780227940E
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.2931296361.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2933772587.0000000002B73000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  Reputation:low
                                                                                                                                  Has exited:false

                                                                                                                                  Target ID:10
                                                                                                                                  Start time:06:19:04
                                                                                                                                  Start date:23/12/2024
                                                                                                                                  Path:C:\Users\user\AppData\Roaming\qIDGekPXala.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:C:\Users\user\AppData\Roaming\qIDGekPXala.exe
                                                                                                                                  Imagebase:0xed0000
                                                                                                                                  File size:671'240 bytes
                                                                                                                                  MD5 hash:FF80002015C1C3E3B18AAB780227940E
                                                                                                                                  Has elevated privileges:false
                                                                                                                                  Has administrator privileges:false
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Antivirus matches:
                                                                                                                                  • Detection: 100%, Avira
                                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                                  • Detection: 61%, ReversingLabs
                                                                                                                                  Reputation:low
                                                                                                                                  Has exited:true

                                                                                                                                  Target ID:11
                                                                                                                                  Start time:06:19:05
                                                                                                                                  Start date:23/12/2024
                                                                                                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                  Imagebase:0x7ff693ab0000
                                                                                                                                  File size:496'640 bytes
                                                                                                                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:false
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  Target ID:12
                                                                                                                                  Start time:06:19:07
                                                                                                                                  Start date:23/12/2024
                                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIDGekPXala" /XML "C:\Users\user\AppData\Local\Temp\tmp9061.tmp"
                                                                                                                                  Imagebase:0xa10000
                                                                                                                                  File size:187'904 bytes
                                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                  Has elevated privileges:false
                                                                                                                                  Has administrator privileges:false
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  Target ID:13
                                                                                                                                  Start time:06:19:07
                                                                                                                                  Start date:23/12/2024
                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                  File size:862'208 bytes
                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                  Has elevated privileges:false
                                                                                                                                  Has administrator privileges:false
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  Target ID:14
                                                                                                                                  Start time:06:19:07
                                                                                                                                  Start date:23/12/2024
                                                                                                                                  Path:C:\Users\user\AppData\Roaming\qIDGekPXala.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\qIDGekPXala.exe"
                                                                                                                                  Imagebase:0xa20000
                                                                                                                                  File size:671'240 bytes
                                                                                                                                  MD5 hash:FF80002015C1C3E3B18AAB780227940E
                                                                                                                                  Has elevated privileges:false
                                                                                                                                  Has administrator privileges:false
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2933924383.0000000002F83000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  Has exited:false

                                                                                                                                  Reset < >

                                                                                                                                    Execution Graph

                                                                                                                                    Execution Coverage:8.1%
                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                    Signature Coverage:10.6%
                                                                                                                                    Total number of Nodes:151
                                                                                                                                    Total number of Limit Nodes:8
                                                                                                                                    execution_graph 39352 7e0a061 39353 7e0a06b 39352->39353 39354 7e0a321 39352->39354 39357 7e0c688 39353->39357 39362 7e0c698 39353->39362 39358 7e0c698 39357->39358 39367 7e0c927 39358->39367 39382 7e0c9ea 39358->39382 39359 7e0c6d6 39359->39354 39363 7e0c6b2 39362->39363 39365 7e0c927 12 API calls 39363->39365 39366 7e0c9ea 12 API calls 39363->39366 39364 7e0c6d6 39364->39354 39365->39364 39366->39364 39368 7e0c924 39367->39368 39368->39367 39369 7e0c92d 39368->39369 39398 7e0cc33 39368->39398 39404 7e0cd4f 39368->39404 39409 7e0d46c 39368->39409 39415 7e0cb8b 39368->39415 39420 7e0cbca 39368->39420 39424 7e0cae6 39368->39424 39429 7e0cc40 39368->39429 39433 7e0d2bf 39368->39433 39438 7e0cafc 39368->39438 39444 7e0cff6 39368->39444 39449 7e0ccf5 39368->39449 39457 7e0cd34 39368->39457 39369->39359 39383 7e0c9bf 39382->39383 39385 7e0c9ee 39382->39385 39384 7e0c9df 39383->39384 39386 7e0cc40 2 API calls 39383->39386 39387 7e0cae6 2 API calls 39383->39387 39388 7e0cbca 2 API calls 39383->39388 39389 7e0cb8b 2 API calls 39383->39389 39390 7e0d46c 2 API calls 39383->39390 39391 7e0cd4f 2 API calls 39383->39391 39392 7e0cc33 2 API calls 39383->39392 39393 7e0cd34 2 API calls 39383->39393 39394 7e0ccf5 4 API calls 39383->39394 39395 7e0cff6 2 API calls 39383->39395 39396 7e0cafc 2 API calls 39383->39396 39397 7e0d2bf 2 API calls 39383->39397 39384->39359 39385->39359 39386->39384 39387->39384 39388->39384 39389->39384 39390->39384 39391->39384 39392->39384 39393->39384 39394->39384 39395->39384 39396->39384 39397->39384 39400 7e0cd19 39398->39400 39399 7e0cf4d 39399->39369 39400->39399 39462 7e09160 39400->39462 39466 7e09158 39400->39466 39401 7e0d0b1 39401->39369 39405 7e0cd55 39404->39405 39470 7e08f18 39405->39470 39474 7e08f12 39405->39474 39406 7e0cd7b 39406->39369 39410 7e0d47c 39409->39410 39411 7e0d00d 39409->39411 39413 7e09160 WriteProcessMemory 39411->39413 39414 7e09158 WriteProcessMemory 39411->39414 39412 7e0ce02 39413->39412 39414->39412 39416 7e0cd9a 39415->39416 39478 7e090a0 39416->39478 39482 7e09099 39416->39482 39417 7e0cb73 39486 7e09650 39420->39486 39490 7e09648 39420->39490 39421 7e0cbec 39421->39369 39425 7e0caef 39424->39425 39494 7e09c20 39425->39494 39498 7e09c14 39425->39498 39431 7e09160 WriteProcessMemory 39429->39431 39432 7e09158 WriteProcessMemory 39429->39432 39430 7e0cc6e 39430->39369 39431->39430 39432->39430 39434 7e0d399 39433->39434 39502 7e08fc2 39434->39502 39506 7e08fc8 39434->39506 39435 7e0d3b4 39435->39369 39440 7e0caef 39438->39440 39439 7e0cb54 39439->39369 39441 7e0d5d7 39440->39441 39442 7e09c20 CreateProcessA 39440->39442 39443 7e09c14 CreateProcessA 39440->39443 39442->39439 39443->39439 39445 7e0cffc 39444->39445 39447 7e09160 WriteProcessMemory 39445->39447 39448 7e09158 WriteProcessMemory 39445->39448 39446 7e0ce02 39447->39446 39448->39446 39450 7e0ccfa 39449->39450 39451 7e0cd4b 39450->39451 39455 7e08fc2 Wow64SetThreadContext 39450->39455 39456 7e08fc8 Wow64SetThreadContext 39450->39456 39452 7e0cd7b 39451->39452 39453 7e08f12 ResumeThread 39451->39453 39454 7e08f18 ResumeThread 39451->39454 39452->39369 39453->39452 39454->39452 39455->39451 39456->39451 39458 7e0cd3a 39457->39458 39460 7e08f12 ResumeThread 39458->39460 39461 7e08f18 ResumeThread 39458->39461 39459 7e0cd7b 39459->39369 39460->39459 39461->39459 39463 7e091a8 WriteProcessMemory 39462->39463 39465 7e091ff 39463->39465 39465->39401 39467 7e09160 WriteProcessMemory 39466->39467 39469 7e091ff 39467->39469 39469->39401 39471 7e08f58 ResumeThread 39470->39471 39473 7e08f89 39471->39473 39473->39406 39475 7e08f58 ResumeThread 39474->39475 39477 7e08f89 39475->39477 39477->39406 39479 7e090e0 VirtualAllocEx 39478->39479 39481 7e0911d 39479->39481 39481->39417 39483 7e090e0 VirtualAllocEx 39482->39483 39485 7e0911d 39483->39485 39485->39417 39487 7e0969b ReadProcessMemory 39486->39487 39489 7e096df 39487->39489 39489->39421 39491 7e0969b ReadProcessMemory 39490->39491 39493 7e096df 39491->39493 39493->39421 39495 7e09ca9 CreateProcessA 39494->39495 39497 7e09e6b 39495->39497 39499 7e09c20 CreateProcessA 39498->39499 39501 7e09e6b 39499->39501 39503 7e0900d Wow64SetThreadContext 39502->39503 39505 7e09055 39503->39505 39505->39435 39507 7e0900d Wow64SetThreadContext 39506->39507 39509 7e09055 39507->39509 39509->39435 39510 31becd8 39513 31bedc3 39510->39513 39511 31bece7 39514 31bee04 39513->39514 39515 31bede1 39513->39515 39514->39511 39515->39514 39516 31bf008 GetModuleHandleW 39515->39516 39517 31bf035 39516->39517 39517->39511 39522 31b4668 39523 31b467a 39522->39523 39524 31b4686 39523->39524 39526 31b4779 39523->39526 39527 31b479d 39526->39527 39531 31b4879 39527->39531 39535 31b4888 39527->39535 39532 31b48af 39531->39532 39533 31b498c 39532->39533 39539 31b44c4 39532->39539 39536 31b48af 39535->39536 39537 31b44c4 CreateActCtxA 39536->39537 39538 31b498c 39536->39538 39537->39538 39540 31b5918 CreateActCtxA 39539->39540 39542 31b59db 39540->39542 39518 7963318 39519 7963366 DrawTextExW 39518->39519 39521 79633be 39519->39521 39543 796b368 39544 796b38e 39543->39544 39545 796b3e8 39544->39545 39547 7e0d8fa 39544->39547 39550 7e0d911 39547->39550 39548 7e0d947 39548->39545 39550->39548 39551 7e09374 39550->39551 39552 7e0dbe8 PostMessageW 39551->39552 39553 7e0dc54 39552->39553 39553->39550

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 502 7961de8-7964980 505 7964986-796498b 502->505 506 7964e63-7964ecc 502->506 505->506 507 7964991-79649ae 505->507 513 7964ed3-7964f5b 506->513 512 79649b4-79649b8 507->512 507->513 515 79649c7-79649cb 512->515 516 79649ba-79649c4 call 7961df8 512->516 557 7964f66-7964fe6 513->557 519 79649cd-79649d7 call 7961df8 515->519 520 79649da-79649e1 515->520 516->515 519->520 524 79649e7-7964a17 520->524 525 7964afc-7964b01 520->525 534 79651e6-796520c 524->534 539 7964a1d-7964af0 call 7961e04 * 2 524->539 528 7964b03-7964b07 525->528 529 7964b09-7964b0e 525->529 528->529 531 7964b10-7964b14 528->531 532 7964b20-7964b50 call 7961e10 * 3 529->532 531->534 535 7964b1a-7964b1d 531->535 532->557 558 7964b56-7964b59 532->558 547 796520e-796521a 534->547 548 796521c 534->548 535->532 539->525 566 7964af2 539->566 553 796521f-7965224 547->553 548->553 574 7964fed-796506f 557->574 558->557 561 7964b5f-7964b61 558->561 561->557 563 7964b67-7964b9c 561->563 573 7964ba2-7964bab 563->573 563->574 566->525 575 7964bb1-7964c0b call 7961e10 * 2 call 7961e20 * 2 573->575 576 7964d0e-7964d12 573->576 579 7965077-79650f9 574->579 618 7964c1d 575->618 619 7964c0d-7964c16 575->619 576->579 580 7964d18-7964d1c 576->580 585 7965101-796512e 579->585 584 7964d22-7964d28 580->584 580->585 588 7964d2c-7964d61 584->588 589 7964d2a 584->589 596 7965135-79651b5 585->596 591 7964d68-7964d6e 588->591 589->591 595 7964d74-7964d7c 591->595 591->596 602 7964d83-7964d85 595->602 603 7964d7e-7964d82 595->603 653 79651bc-79651de 596->653 608 7964de7-7964ded 602->608 609 7964d87-7964dab 602->609 603->602 613 7964def-7964e0a 608->613 614 7964e0c-7964e3a 608->614 641 7964db4-7964db8 609->641 642 7964dad-7964db2 609->642 631 7964e42-7964e4e 613->631 614->631 626 7964c21-7964c23 618->626 619->626 627 7964c18-7964c1b 619->627 632 7964c25 626->632 633 7964c2a-7964c2e 626->633 627->626 652 7964e54-7964e60 631->652 631->653 632->633 639 7964c30-7964c37 633->639 640 7964c3c-7964c42 633->640 646 7964cd9-7964cdd 639->646 644 7964c44-7964c4a 640->644 645 7964c4c-7964c51 640->645 641->534 649 7964dbe-7964dc1 641->649 648 7964dc4-7964dd5 642->648 654 7964c57-7964c5d 644->654 645->654 656 7964cdf-7964cf9 646->656 657 7964cfc-7964d08 646->657 691 7964dd7 call 7965280 648->691 692 7964dd7 call 7965270 648->692 649->648 653->534 661 7964c63-7964c68 654->661 662 7964c5f-7964c61 654->662 656->657 657->575 657->576 667 7964c6a-7964c7c 661->667 662->667 663 7964ddd-7964de5 663->631 668 7964c86-7964c8b 667->668 669 7964c7e-7964c84 667->669 674 7964c91-7964c98 668->674 669->674 678 7964c9e 674->678 679 7964c9a-7964c9c 674->679 682 7964ca3-7964cae 678->682 679->682 683 7964cd2 682->683 684 7964cb0-7964cb3 682->684 683->646 684->646 686 7964cb5-7964cbb 684->686 687 7964cc2-7964ccb 686->687 688 7964cbd-7964cc0 686->688 687->646 690 7964ccd-7964cd0 687->690 688->683 688->687 690->646 690->683 691->663 692->663
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1735721925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7960000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Hbq$Hbq$Hbq$Hbq$Hbq
                                                                                                                                    • API String ID: 0-1677660839
                                                                                                                                    • Opcode ID: a6a29be5757bd772beecb607e582df6b2f746c44e4f2e9916fbbe2d9569a75ab
                                                                                                                                    • Instruction ID: 33223ba80e0b259ca1192d32cfa4cbe28a862675f756504fdb36a7b2b3d528f3
                                                                                                                                    • Opcode Fuzzy Hash: a6a29be5757bd772beecb607e582df6b2f746c44e4f2e9916fbbe2d9569a75ab
                                                                                                                                    • Instruction Fuzzy Hash: 5C328DB0A002588FDB54DFA8C85479EBBF6BF88304F108669D509EB394DF349E85CB91
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1735721925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7960000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: f8abe7b34185075e48955c6a2821cce6ee151bc9784ed84f0a7177a066615527
                                                                                                                                    • Instruction ID: 29d76eedf3a17c0e77ca44fbd40b3cc0b83b07d00b83e0668f077c655615a78a
                                                                                                                                    • Opcode Fuzzy Hash: f8abe7b34185075e48955c6a2821cce6ee151bc9784ed84f0a7177a066615527
                                                                                                                                    • Instruction Fuzzy Hash: E1C17EB4E00259CFDB15DFA5C88479DBBF2AF88304F04C6A9D409AB255DB30DA95CF51
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 87f3dcc539ba876de09f98f9828e0356765db5d6cf74dd85bd0ebc428ade0759
                                                                                                                                    • Instruction ID: a42c2d95d94b3a2b3da660913037689f9a2ee2eab8e2041cf4a97bf722f82b6c
                                                                                                                                    • Opcode Fuzzy Hash: 87f3dcc539ba876de09f98f9828e0356765db5d6cf74dd85bd0ebc428ade0759
                                                                                                                                    • Instruction Fuzzy Hash: 6041EEB1E05618CBEB18CFA7DC043DEBAF6AFC9304F04D1AAC44D66254DB740A858F91

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1689 7e09c14-7e09cb5 1692 7e09cb7-7e09cc1 1689->1692 1693 7e09cee-7e09d0e 1689->1693 1692->1693 1694 7e09cc3-7e09cc5 1692->1694 1700 7e09d10-7e09d1a 1693->1700 1701 7e09d47-7e09d76 1693->1701 1695 7e09cc7-7e09cd1 1694->1695 1696 7e09ce8-7e09ceb 1694->1696 1698 7e09cd3 1695->1698 1699 7e09cd5-7e09ce4 1695->1699 1696->1693 1698->1699 1699->1699 1702 7e09ce6 1699->1702 1700->1701 1703 7e09d1c-7e09d1e 1700->1703 1709 7e09d78-7e09d82 1701->1709 1710 7e09daf-7e09e69 CreateProcessA 1701->1710 1702->1696 1704 7e09d20-7e09d2a 1703->1704 1705 7e09d41-7e09d44 1703->1705 1707 7e09d2c 1704->1707 1708 7e09d2e-7e09d3d 1704->1708 1705->1701 1707->1708 1708->1708 1711 7e09d3f 1708->1711 1709->1710 1712 7e09d84-7e09d86 1709->1712 1721 7e09e72-7e09ef8 1710->1721 1722 7e09e6b-7e09e71 1710->1722 1711->1705 1714 7e09d88-7e09d92 1712->1714 1715 7e09da9-7e09dac 1712->1715 1716 7e09d94 1714->1716 1717 7e09d96-7e09da5 1714->1717 1715->1710 1716->1717 1717->1717 1719 7e09da7 1717->1719 1719->1715 1732 7e09f08-7e09f0c 1721->1732 1733 7e09efa-7e09efe 1721->1733 1722->1721 1735 7e09f1c-7e09f20 1732->1735 1736 7e09f0e-7e09f12 1732->1736 1733->1732 1734 7e09f00 1733->1734 1734->1732 1737 7e09f30-7e09f34 1735->1737 1738 7e09f22-7e09f26 1735->1738 1736->1735 1739 7e09f14 1736->1739 1741 7e09f46-7e09f4d 1737->1741 1742 7e09f36-7e09f3c 1737->1742 1738->1737 1740 7e09f28 1738->1740 1739->1735 1740->1737 1743 7e09f64 1741->1743 1744 7e09f4f-7e09f5e 1741->1744 1742->1741 1746 7e09f65 1743->1746 1744->1743 1746->1746
                                                                                                                                    APIs
                                                                                                                                    • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07E09E56
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateProcess
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 963392458-0
                                                                                                                                    • Opcode ID: 95e2b117ecf089d0ef0419102bcfb9835fbf86f1fe27b4e8948b8edc971dabba
                                                                                                                                    • Instruction ID: 1627f011e9deed74ad7eefa6481b801312d810a93d3f6c49b3b18f7f98bca90f
                                                                                                                                    • Opcode Fuzzy Hash: 95e2b117ecf089d0ef0419102bcfb9835fbf86f1fe27b4e8948b8edc971dabba
                                                                                                                                    • Instruction Fuzzy Hash: 0EA17DB1D0121ADFDB10DF68C8407EDBBB6BF44314F1481A9E848A7281DB74A9D5CF92

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1747 7e09c20-7e09cb5 1749 7e09cb7-7e09cc1 1747->1749 1750 7e09cee-7e09d0e 1747->1750 1749->1750 1751 7e09cc3-7e09cc5 1749->1751 1757 7e09d10-7e09d1a 1750->1757 1758 7e09d47-7e09d76 1750->1758 1752 7e09cc7-7e09cd1 1751->1752 1753 7e09ce8-7e09ceb 1751->1753 1755 7e09cd3 1752->1755 1756 7e09cd5-7e09ce4 1752->1756 1753->1750 1755->1756 1756->1756 1759 7e09ce6 1756->1759 1757->1758 1760 7e09d1c-7e09d1e 1757->1760 1766 7e09d78-7e09d82 1758->1766 1767 7e09daf-7e09e69 CreateProcessA 1758->1767 1759->1753 1761 7e09d20-7e09d2a 1760->1761 1762 7e09d41-7e09d44 1760->1762 1764 7e09d2c 1761->1764 1765 7e09d2e-7e09d3d 1761->1765 1762->1758 1764->1765 1765->1765 1768 7e09d3f 1765->1768 1766->1767 1769 7e09d84-7e09d86 1766->1769 1778 7e09e72-7e09ef8 1767->1778 1779 7e09e6b-7e09e71 1767->1779 1768->1762 1771 7e09d88-7e09d92 1769->1771 1772 7e09da9-7e09dac 1769->1772 1773 7e09d94 1771->1773 1774 7e09d96-7e09da5 1771->1774 1772->1767 1773->1774 1774->1774 1776 7e09da7 1774->1776 1776->1772 1789 7e09f08-7e09f0c 1778->1789 1790 7e09efa-7e09efe 1778->1790 1779->1778 1792 7e09f1c-7e09f20 1789->1792 1793 7e09f0e-7e09f12 1789->1793 1790->1789 1791 7e09f00 1790->1791 1791->1789 1794 7e09f30-7e09f34 1792->1794 1795 7e09f22-7e09f26 1792->1795 1793->1792 1796 7e09f14 1793->1796 1798 7e09f46-7e09f4d 1794->1798 1799 7e09f36-7e09f3c 1794->1799 1795->1794 1797 7e09f28 1795->1797 1796->1792 1797->1794 1800 7e09f64 1798->1800 1801 7e09f4f-7e09f5e 1798->1801 1799->1798 1803 7e09f65 1800->1803 1801->1800 1803->1803
                                                                                                                                    APIs
                                                                                                                                    • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07E09E56
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateProcess
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 963392458-0
                                                                                                                                    • Opcode ID: f68e44f68772a00493750767a0c6e30fe107d4f3dd4af6a1fa5ac294ac3ba5a7
                                                                                                                                    • Instruction ID: 61435288c858133090c5a39148a5fc3bdd0d4db63462979790669fe738329780
                                                                                                                                    • Opcode Fuzzy Hash: f68e44f68772a00493750767a0c6e30fe107d4f3dd4af6a1fa5ac294ac3ba5a7
                                                                                                                                    • Instruction Fuzzy Hash: E2917CB1D0121ACFDB10DF68C8407EDBBB6BF48314F1481A9E849A7281DB74A9D5CF92

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1804 31bedc3-31beddf 1805 31bee0b-31bee0f 1804->1805 1806 31bede1-31bedee call 31be794 1804->1806 1808 31bee23-31bee64 1805->1808 1809 31bee11-31bee1b 1805->1809 1812 31bedf0 1806->1812 1813 31bee04 1806->1813 1815 31bee71-31bee7f 1808->1815 1816 31bee66-31bee6e 1808->1816 1809->1808 1860 31bedf6 call 31bf058 1812->1860 1861 31bedf6 call 31bf068 1812->1861 1813->1805 1817 31beea3-31beea5 1815->1817 1818 31bee81-31bee86 1815->1818 1816->1815 1823 31beea8-31beeaf 1817->1823 1820 31bee88-31bee8f call 31be7a0 1818->1820 1821 31bee91 1818->1821 1819 31bedfc-31bedfe 1819->1813 1822 31bef40-31bf000 1819->1822 1825 31bee93-31beea1 1820->1825 1821->1825 1855 31bf008-31bf033 GetModuleHandleW 1822->1855 1856 31bf002-31bf005 1822->1856 1826 31beebc-31beec3 1823->1826 1827 31beeb1-31beeb9 1823->1827 1825->1823 1828 31beed0-31beed9 call 31be7b0 1826->1828 1829 31beec5-31beecd 1826->1829 1827->1826 1835 31beedb-31beee3 1828->1835 1836 31beee6-31beeeb 1828->1836 1829->1828 1835->1836 1837 31bef09-31bef16 1836->1837 1838 31beeed-31beef4 1836->1838 1845 31bef39-31bef3f 1837->1845 1846 31bef18-31bef36 1837->1846 1838->1837 1840 31beef6-31bef06 call 31be7c0 call 31be7d0 1838->1840 1840->1837 1846->1845 1857 31bf03c-31bf050 1855->1857 1858 31bf035-31bf03b 1855->1858 1856->1855 1858->1857 1860->1819 1861->1819
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 031BF026
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1721037007.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_31b0000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleModule
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                    • Opcode ID: 53f9d378c1a2bcfa5f56f5f9de304c96ae4933ed1d42ba207e8a2d9864d11495
                                                                                                                                    • Instruction ID: 53dcced604cb0fc58530e2866ecf18c66d1a7e337fae37309e687bc9da7088a5
                                                                                                                                    • Opcode Fuzzy Hash: 53f9d378c1a2bcfa5f56f5f9de304c96ae4933ed1d42ba207e8a2d9864d11495
                                                                                                                                    • Instruction Fuzzy Hash: 01815770A00B058FD724DF2AE44479ABBF6FF88300F14896DD48ADBA50E775E945CBA1

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1970 31b44c4-31b59d9 CreateActCtxA 1973 31b59db-31b59e1 1970->1973 1974 31b59e2-31b5a3c 1970->1974 1973->1974 1981 31b5a4b-31b5a4f 1974->1981 1982 31b5a3e-31b5a41 1974->1982 1983 31b5a51-31b5a5d 1981->1983 1984 31b5a60 1981->1984 1982->1981 1983->1984 1986 31b5a61 1984->1986 1986->1986
                                                                                                                                    APIs
                                                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 031B59C9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1721037007.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_31b0000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Create
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                    • Opcode ID: fdb4497fce090b274030c487e06b9572bbdf6b8962e25ec1d6f8c125b66fda84
                                                                                                                                    • Instruction ID: 0b2d6b833eedaa870ddb5e45d0deb4b0f409d7d60ea9fc7ff128408d36f744b8
                                                                                                                                    • Opcode Fuzzy Hash: fdb4497fce090b274030c487e06b9572bbdf6b8962e25ec1d6f8c125b66fda84
                                                                                                                                    • Instruction Fuzzy Hash: 7641D2B0C00719DBDB24CFAAC8847DDBBF6BF49304F24805AD508AB255DB755985CF90

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1987 31b590c-31b59d9 CreateActCtxA 1989 31b59db-31b59e1 1987->1989 1990 31b59e2-31b5a3c 1987->1990 1989->1990 1997 31b5a4b-31b5a4f 1990->1997 1998 31b5a3e-31b5a41 1990->1998 1999 31b5a51-31b5a5d 1997->1999 2000 31b5a60 1997->2000 1998->1997 1999->2000 2002 31b5a61 2000->2002 2002->2002
                                                                                                                                    APIs
                                                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 031B59C9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1721037007.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_31b0000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Create
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                    • Opcode ID: 12d19625b60f623376057ec68c19746f254939a8d043c2732d89bdc6b0d62b6c
                                                                                                                                    • Instruction ID: 9b4535dcdd1bf7fbe2d63acb3a7606fc1d03d89947db2b1e180fef6f4a382a6e
                                                                                                                                    • Opcode Fuzzy Hash: 12d19625b60f623376057ec68c19746f254939a8d043c2732d89bdc6b0d62b6c
                                                                                                                                    • Instruction Fuzzy Hash: 5441C2B0C00619DFDB24CFA9C9857CEBBF6BF49304F24805AD808AB255DB755985CF90
                                                                                                                                    APIs
                                                                                                                                    • DrawTextExW.USER32(?,?,?,?,?,?), ref: 079633AF
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1735721925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7960000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DrawText
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2175133113-0
                                                                                                                                    • Opcode ID: b07320cdc7d090c580a43e0d713738328b377aa84ff184eca06e801bc3843a28
                                                                                                                                    • Instruction ID: 1142c8bc510404cba94509434e545663793b569a4eec2af9dd14c3f790dea6ba
                                                                                                                                    • Opcode Fuzzy Hash: b07320cdc7d090c580a43e0d713738328b377aa84ff184eca06e801bc3843a28
                                                                                                                                    • Instruction Fuzzy Hash: F931E0B59003099FDB10CF9AD884ADEFBF9FB48324F54842AE819A7310D774A944CFA0
                                                                                                                                    APIs
                                                                                                                                    • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07E091F0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MemoryProcessWrite
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3559483778-0
                                                                                                                                    • Opcode ID: 03dbe8b03144823401ead0ac8460c81fe90836adc65fbe0b7a7795862314fd66
                                                                                                                                    • Instruction ID: d3f4f836ad1c34854a9208b6b487ec169f2bf3503fb0c01f07127cc630ce2bcd
                                                                                                                                    • Opcode Fuzzy Hash: 03dbe8b03144823401ead0ac8460c81fe90836adc65fbe0b7a7795862314fd66
                                                                                                                                    • Instruction Fuzzy Hash: 17218DB19003599FCB10CFA9C845BDEBFF5FF48310F10882AE958A7241C7749580CBA0
                                                                                                                                    APIs
                                                                                                                                    • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07E091F0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MemoryProcessWrite
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3559483778-0
                                                                                                                                    • Opcode ID: d50af9b5de9a167a442d5b50b470fcbc5501489fd6756bdd74599c4cd71baff0
                                                                                                                                    • Instruction ID: 995b21ba2f0d3d55684da40a9a4d3f9952ffcdbc92425e2097cd8440fe814d57
                                                                                                                                    • Opcode Fuzzy Hash: d50af9b5de9a167a442d5b50b470fcbc5501489fd6756bdd74599c4cd71baff0
                                                                                                                                    • Instruction Fuzzy Hash: 51216BB19003599FCB10CFA9C885BDEBBF5FF48310F108429E958A7241C774A584CBA4
                                                                                                                                    APIs
                                                                                                                                    • DrawTextExW.USER32(?,?,?,?,?,?), ref: 079633AF
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1735721925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7960000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DrawText
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2175133113-0
                                                                                                                                    • Opcode ID: a45a22552539a48438ced3551b177592c3212db1ec9ec0ede64d9095831d467c
                                                                                                                                    • Instruction ID: 7fb54860c4ba1fe5d99f939b3ed3a491adb52b4883f4042664d16666a3b8939f
                                                                                                                                    • Opcode Fuzzy Hash: a45a22552539a48438ced3551b177592c3212db1ec9ec0ede64d9095831d467c
                                                                                                                                    • Instruction Fuzzy Hash: 7521CEB59002099FDB10CF9AD884A9EBBF9BB48324F54842AE819A7210D774A944CFA0
                                                                                                                                    APIs
                                                                                                                                    • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07E096D0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MemoryProcessRead
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1726664587-0
                                                                                                                                    • Opcode ID: da2d0bd5e41c7e946160a31a681d92357d44c479bfeb5fd84ffc8e74934ec58a
                                                                                                                                    • Instruction ID: 16518e246e1e087bbe790fb2116df8ee2a3a1353af21b74878a509d8aa7f8e26
                                                                                                                                    • Opcode Fuzzy Hash: da2d0bd5e41c7e946160a31a681d92357d44c479bfeb5fd84ffc8e74934ec58a
                                                                                                                                    • Instruction Fuzzy Hash: 382136B1D012599FCB10CFAAC884AEEBBF0FF48314F10882AE558A7251D7349545CBA4
                                                                                                                                    APIs
                                                                                                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07E09046
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ContextThreadWow64
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 983334009-0
                                                                                                                                    • Opcode ID: b15b66d634cf5e66160bdb0c822bbecf89f548121ece26e37cb8f4b46617a294
                                                                                                                                    • Instruction ID: f33dae8b1d09c7a6e7d8cd5fb9ff9b856a0c0cd0e054e292a701ee3237855e8b
                                                                                                                                    • Opcode Fuzzy Hash: b15b66d634cf5e66160bdb0c822bbecf89f548121ece26e37cb8f4b46617a294
                                                                                                                                    • Instruction Fuzzy Hash: CC2137B19002198FDB10DFAAC4857EEBBF4EF88314F10C42AD559A7281D778A985CFA4
                                                                                                                                    APIs
                                                                                                                                    • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07E096D0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MemoryProcessRead
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1726664587-0
                                                                                                                                    • Opcode ID: b99df65c46f2d066f6882d523864a9923b311abe98fb4ca07089b01d4afbd82c
                                                                                                                                    • Instruction ID: 9ead8955ac19978be6691de15d1d1a3e1e6e1964245c7d34d33e9f9a87821d46
                                                                                                                                    • Opcode Fuzzy Hash: b99df65c46f2d066f6882d523864a9923b311abe98fb4ca07089b01d4afbd82c
                                                                                                                                    • Instruction Fuzzy Hash: 9B2139B1C003599FCB10DFAAC845ADEFBF5FF48310F10842AE958A7251D734A544CBA4
                                                                                                                                    APIs
                                                                                                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07E09046
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ContextThreadWow64
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 983334009-0
                                                                                                                                    • Opcode ID: 53e3a41e5dd27dcb4dfd03ef2608e3b761b27c3d1a1618b97d89c4d4e117c438
                                                                                                                                    • Instruction ID: 0b0a398e0ffda0407b68fd8b02a677cb3a2cb356e416f0370618e47e2d3dac67
                                                                                                                                    • Opcode Fuzzy Hash: 53e3a41e5dd27dcb4dfd03ef2608e3b761b27c3d1a1618b97d89c4d4e117c438
                                                                                                                                    • Instruction Fuzzy Hash: 712138B19003198FDB10DFAAC4857EEBBF4EF48324F10842AD459A7241D778A984CFA4
                                                                                                                                    APIs
                                                                                                                                    • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07E0910E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                    • Opcode ID: 8ba459fee20aca6a306905bf048502ffd8da3093953c86f6b60a10ac13b26110
                                                                                                                                    • Instruction ID: a22733d76fb911ac54d25800f83d392e86ea3c9a1c9f86676617ae20620c9c07
                                                                                                                                    • Opcode Fuzzy Hash: 8ba459fee20aca6a306905bf048502ffd8da3093953c86f6b60a10ac13b26110
                                                                                                                                    • Instruction Fuzzy Hash: FF1126B2900249DFCB10DFA9C845BEEBFF5EF88324F10881AE559A7250C775A594CFA4
                                                                                                                                    APIs
                                                                                                                                    • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07E0910E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                    • Opcode ID: 56c0faadc56641425294936c9adccb9bcbef680ee3e650374c628baeec8b8780
                                                                                                                                    • Instruction ID: aac9c9aa6a3eea12d2fa039fe471abe13495426edeb66ab62b92423546dd1670
                                                                                                                                    • Opcode Fuzzy Hash: 56c0faadc56641425294936c9adccb9bcbef680ee3e650374c628baeec8b8780
                                                                                                                                    • Instruction Fuzzy Hash: F71137B19002499FCB10DFAAC845BDFBFF5EF88324F108819E559A7250C775A994CFA4
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ResumeThread
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 947044025-0
                                                                                                                                    • Opcode ID: 8055e401e8aecc6b77c5d2d8186753f55136ff762a32750568055e0f3a1a0717
                                                                                                                                    • Instruction ID: 81e0325a9ba04d9c28cc8f5cd13cacf69bfd7b869a16d552df9bfa4a59746333
                                                                                                                                    • Opcode Fuzzy Hash: 8055e401e8aecc6b77c5d2d8186753f55136ff762a32750568055e0f3a1a0717
                                                                                                                                    • Instruction Fuzzy Hash: 151158B1D002488FCB20DFAAC4457DEFBF5EB88324F208819D459A7250CB34A984CFA4
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ResumeThread
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 947044025-0
                                                                                                                                    • Opcode ID: 3a3d47f29c8424b831914f9bcb2819ece8b1b47411d101da361f9b68a6c3c61a
                                                                                                                                    • Instruction ID: 4b1059816c614d2ac49e5c8dbfbd8dc5a1bdb3f99d82a7179ca561047ab7bb8e
                                                                                                                                    • Opcode Fuzzy Hash: 3a3d47f29c8424b831914f9bcb2819ece8b1b47411d101da361f9b68a6c3c61a
                                                                                                                                    • Instruction Fuzzy Hash: C7113AB1D003598FDB20DFAAC4457DEFBF5EB88324F208819D559A7250CB75A584CFA4
                                                                                                                                    APIs
                                                                                                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 07E0DC45
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessagePost
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 410705778-0
                                                                                                                                    • Opcode ID: 3a03fccbc65b6ebc95307c4024c85e005fe9319250d43fc4e994c3f76d8b5aa9
                                                                                                                                    • Instruction ID: b17899189406c791e7ec874f8888afad83c47b1c8120e22334d59d596b2a9457
                                                                                                                                    • Opcode Fuzzy Hash: 3a03fccbc65b6ebc95307c4024c85e005fe9319250d43fc4e994c3f76d8b5aa9
                                                                                                                                    • Instruction Fuzzy Hash: F211F5B5900349DFCB10DF9AC885BDEBBF8EB58314F10841AE954A7240D375A984CFE5
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 031BF026
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1721037007.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_31b0000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleModule
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                    • Opcode ID: 65835f4b8dd72cedea1b2dc5483112ad7d576a33679005eb363ab1b9b3a88dc5
                                                                                                                                    • Instruction ID: f6df5247f14c832209e5cb16c7280c3a9186321cee5033b4267a086ad4072819
                                                                                                                                    • Opcode Fuzzy Hash: 65835f4b8dd72cedea1b2dc5483112ad7d576a33679005eb363ab1b9b3a88dc5
                                                                                                                                    • Instruction Fuzzy Hash: 4E11E0B5C003498FCB20DF9AD844ADEFBF5EB89324F14842AD859B7210D375A546CFA5
                                                                                                                                    APIs
                                                                                                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 07E0DC45
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessagePost
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 410705778-0
                                                                                                                                    • Opcode ID: bac04ac866df91a4bb5b97717d72dbaa19bd71de7f1c1b674bf1626f3b36d195
                                                                                                                                    • Instruction ID: ef1b70d577ae4803d222c7bd3ab59d9a2430293f48493623e9c7604e93f42d46
                                                                                                                                    • Opcode Fuzzy Hash: bac04ac866df91a4bb5b97717d72dbaa19bd71de7f1c1b674bf1626f3b36d195
                                                                                                                                    • Instruction Fuzzy Hash: E81133B5900249CFDB10CF89C988BDEBBF8EB48324F10880AE558A7640C374A584CFA0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1720501257.000000000190D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0190D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_190d000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 7b8e1c19ece859e267ece55a4c832ff7a0ea74774f56bb3e212920239236d33c
                                                                                                                                    • Instruction ID: 96ac79958279a34f1d5acb0b6b41383085dec884674aceeaf86a4aca964df6fb
                                                                                                                                    • Opcode Fuzzy Hash: 7b8e1c19ece859e267ece55a4c832ff7a0ea74774f56bb3e212920239236d33c
                                                                                                                                    • Instruction Fuzzy Hash: 2821F271504200EFDB06DF9CD9C0F26BBA5FB84324F20CA6DE90D4B296C336D446CA61
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1720501257.000000000190D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0190D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_190d000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: ef6ff143b4ad9bca514a5cc68319b0168b89d00413b62231119b8902cbe06af4
                                                                                                                                    • Instruction ID: 844344bc322666511f46558b33447ad2beb71b45033365a0a73888c938690ae9
                                                                                                                                    • Opcode Fuzzy Hash: ef6ff143b4ad9bca514a5cc68319b0168b89d00413b62231119b8902cbe06af4
                                                                                                                                    • Instruction Fuzzy Hash: D421F271604200DFDB16DF98D984B26BFB9EB84354F20C96DD94E4B296C33AD447CA61
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1720501257.000000000190D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0190D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_190d000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                    • Instruction ID: a65792f75d826f98b2028fe0ac44599b49a9cca6ae89a63075c58548194af00a
                                                                                                                                    • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                    • Instruction Fuzzy Hash: CD118B75504280DFDB16CF98D5C4B16BFB2FB84314F24C6AAD84D4B696C33AD44ACBA2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1720501257.000000000190D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0190D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_190d000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                    • Instruction ID: 4ea82083d872b4b2ff7d990be7c59f0714bacf5cf57e9e5344397b4646192f73
                                                                                                                                    • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                    • Instruction Fuzzy Hash: 0011BB76504280DFDB02CF98C5C4B15BFA1FB84224F24C6AAD8494B696C33AD44ACB61
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1720417064.00000000018FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018FD000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_18fd000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 81a673bdef75cfcc9829d444a968396bea9741e14d4dabcffb7d1eb5fad2d92e
                                                                                                                                    • Instruction ID: 512f67f9f265d636f86546db9ad79b3ab1cc45225556725e89fb4a78aa7fbe26
                                                                                                                                    • Opcode Fuzzy Hash: 81a673bdef75cfcc9829d444a968396bea9741e14d4dabcffb7d1eb5fad2d92e
                                                                                                                                    • Instruction Fuzzy Hash: A9012B310083849AE7115EAACD84B67BF9CDF41324F18C62EEF088F296D239D940C671
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1720417064.00000000018FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018FD000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_18fd000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: eaee3012aca084c3109d471b18b505c0978e06acd2786a4fffb3ddae647e1cf2
                                                                                                                                    • Instruction ID: c2c2a6d38460945f233b9dd93445fb661ad05873e1133d896d3105927c61f662
                                                                                                                                    • Opcode Fuzzy Hash: eaee3012aca084c3109d471b18b505c0978e06acd2786a4fffb3ddae647e1cf2
                                                                                                                                    • Instruction Fuzzy Hash: CEF062714083849AE7119E5ACC88B66FFA8EB41734F18C55AEE084F296D2799844CAB1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 97548ed3af813c812b16096fe68e9b35aaf657f0c3d23931ed76df69d8ee3e41
                                                                                                                                    • Instruction ID: dc49c528a177b78b1993e909f166045e0b4e8aeeb23795168319ee2b961dad31
                                                                                                                                    • Opcode Fuzzy Hash: 97548ed3af813c812b16096fe68e9b35aaf657f0c3d23931ed76df69d8ee3e41
                                                                                                                                    • Instruction Fuzzy Hash: E2D1AEB17027018FD725DB79D450BAEB7F6AF89704F145469D146CB3A1CB34E881CBA1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 898d58e7267ca0c68433a2342b58bc15b7593f6d396ffc1edb9c46de210e704f
                                                                                                                                    • Instruction ID: ae3859bd369c8e3cbdbb9d46515818745882ecb96bddaea2cdf74b5b780a5d90
                                                                                                                                    • Opcode Fuzzy Hash: 898d58e7267ca0c68433a2342b58bc15b7593f6d396ffc1edb9c46de210e704f
                                                                                                                                    • Instruction Fuzzy Hash: 30E1FAB4E011198FCB14DFA9D5809AEFBB2FF89304F249169E414AB356D734AD81CFA1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 047863d3ded40d516cdcc01037f7c208a86248cdd7268c4006ba3db54149eaa3
                                                                                                                                    • Instruction ID: 9e41687a9a39590fe7fee05b692ed67f5147dd7644e460888920de0bc749fef0
                                                                                                                                    • Opcode Fuzzy Hash: 047863d3ded40d516cdcc01037f7c208a86248cdd7268c4006ba3db54149eaa3
                                                                                                                                    • Instruction Fuzzy Hash: B2E12AB4E011198FCB14DFA9D5809AEFBB2FF89304F249169E404AB356D734AD81CFA1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 98ef87f0d11194044bebe6b4f1ed4bbc06f6062123781a9005d5f717a78356fc
                                                                                                                                    • Instruction ID: 9bfc529b1e058ca528f6edf054fe86a655d500af373fd81a25e1e00afdce23f8
                                                                                                                                    • Opcode Fuzzy Hash: 98ef87f0d11194044bebe6b4f1ed4bbc06f6062123781a9005d5f717a78356fc
                                                                                                                                    • Instruction Fuzzy Hash: BDE10AB4E011198FCB14DFA9D5809AEFBB2FF89304F249169E414AB356D734AD81CFA0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 41d9becc04847e763d8384f1d203720ef51f85fdb07ad84da24219da47f618a0
                                                                                                                                    • Instruction ID: df828ad78f5bfc28f2a965a927daa2e21529c1db141e0ebc7ca4196c9d4bb18f
                                                                                                                                    • Opcode Fuzzy Hash: 41d9becc04847e763d8384f1d203720ef51f85fdb07ad84da24219da47f618a0
                                                                                                                                    • Instruction Fuzzy Hash: 2CE1FBB4E011198FCB14DFA9D5809AEFBB2FF89304F249169E414AB355D735AD81CFA0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: ced844399fac53e02e4c34111fab6a112444aa95b3523a25cf704d0a9cbe564e
                                                                                                                                    • Instruction ID: 9842fa16b5275a6798eb2322d7ad06469f5bf7f89eea6971143027d974aacd9d
                                                                                                                                    • Opcode Fuzzy Hash: ced844399fac53e02e4c34111fab6a112444aa95b3523a25cf704d0a9cbe564e
                                                                                                                                    • Instruction Fuzzy Hash: 87E119B4E011198FCB14DFA9D580AAEFBB2FF89304F249169D414AB356D735AD81CFA0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 4adedcbbb7dde7874ca0fa33894926c791bc44e766981d2901f0f1cc00bf52db
                                                                                                                                    • Instruction ID: f62d4c72bd8cc2fe651c7a3f8eaaa9a865ca9163b2a2e236dbce8dd0652b9cf7
                                                                                                                                    • Opcode Fuzzy Hash: 4adedcbbb7dde7874ca0fa33894926c791bc44e766981d2901f0f1cc00bf52db
                                                                                                                                    • Instruction Fuzzy Hash: 4D512BB4E012198BDB14CFA9D5805AEFBF2FF89304F2481A9D418A7356D735A942CFA1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 9d66293a5a7a2a635f2d5782d50bf72aefd1e85abe2973fdfe469cccb6e10a35
                                                                                                                                    • Instruction ID: 80547e519a47f0b896722451439cf1a4e0001d9ea2cafeb48d4e1b4ea2d1c5fe
                                                                                                                                    • Opcode Fuzzy Hash: 9d66293a5a7a2a635f2d5782d50bf72aefd1e85abe2973fdfe469cccb6e10a35
                                                                                                                                    • Instruction Fuzzy Hash: A9511AB0E012198FCB14DFA9D5805AEFBF2FF89304F2481A9D418A7356DB35A941CFA1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 03f7feacea7bcce4fba50fc1e8ca40899d975e79bf2883eadb2c0362a1aa5932
                                                                                                                                    • Instruction ID: 7861ab2307da48673875686850713f27c59ad9c00b3f6aade4dc74d11981f0ed
                                                                                                                                    • Opcode Fuzzy Hash: 03f7feacea7bcce4fba50fc1e8ca40899d975e79bf2883eadb2c0362a1aa5932
                                                                                                                                    • Instruction Fuzzy Hash: 385138B4E012198BCB14DFA9D5845AEFBF2FF89314F24C169D418AB356DB349981CFA0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1739150833.0000000007E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7e00000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 96c6480e07bd4bffb026bb6f32e056d5bd88c137ea9100753f3fbfff06200156
                                                                                                                                    • Instruction ID: 4ad1b732f0fdc63df0e094a28247dbafe6c0a7d17a7d0f502b980d8fa2f7989d
                                                                                                                                    • Opcode Fuzzy Hash: 96c6480e07bd4bffb026bb6f32e056d5bd88c137ea9100753f3fbfff06200156
                                                                                                                                    • Instruction Fuzzy Hash: 40E04FB8E5E148DFCB50DFF4B8041F8B7B8AB4B21AF0630A5D40E93242D33445408B94
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: N
                                                                                                                                    • API String ID: 0-1130791706
                                                                                                                                    • Opcode ID: aa71d8570723f254dd855f8bff0f337dd790070cdeb48710ba294a90db4076de
                                                                                                                                    • Instruction ID: 8a157df2e6b8aa205a38111afd83bb0e89dda6c136aa786d2897ac0c1c8359a6
                                                                                                                                    • Opcode Fuzzy Hash: aa71d8570723f254dd855f8bff0f337dd790070cdeb48710ba294a90db4076de
                                                                                                                                    • Instruction Fuzzy Hash: B173E631C1075A8ECB11EF68C854A99FBB1FF99304F15D69AE44877221EB70AAC4CF91
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Xbq$Xbq
                                                                                                                                    • API String ID: 0-1243427068
                                                                                                                                    • Opcode ID: ae8cfde47feacc07d8031c8b96c74a20cbe09b79c9f0f619efc20292ad0bb30a
                                                                                                                                    • Instruction ID: e0c1af4170968ccb92b877d8a5442345bbbed21f04f1e29de8bc3fc9de4b19ae
                                                                                                                                    • Opcode Fuzzy Hash: ae8cfde47feacc07d8031c8b96c74a20cbe09b79c9f0f619efc20292ad0bb30a
                                                                                                                                    • Instruction Fuzzy Hash: C7323E26B5A2D4DFF717233C04D59A03FA29D27512B8F98D9D8C08B866D519088FCBB6
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Xbq$$^q
                                                                                                                                    • API String ID: 0-1593437937
                                                                                                                                    • Opcode ID: 92380517099c60546c1758a392f9cbaed64d025a47b2c0e5afa65953e76d82e8
                                                                                                                                    • Instruction ID: 4e6a783682c2879f1a95b537955eccb3e2a1261d2ca53892255405e1cd4901b2
                                                                                                                                    • Opcode Fuzzy Hash: 92380517099c60546c1758a392f9cbaed64d025a47b2c0e5afa65953e76d82e8
                                                                                                                                    • Instruction Fuzzy Hash: 3091C670B04258DBDB18EF78995827EBBB3BFC9744B14882DE146E7294DE34C90297A1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 92c16782c0f071dabf79bdc4af30a7508532881dead990ef9dbc69f8a19a9275
                                                                                                                                    • Instruction ID: 7d1cc9c67b1de7b27651c6e51db397f6656dd580f62fb4279dab000e677682a2
                                                                                                                                    • Opcode Fuzzy Hash: 92c16782c0f071dabf79bdc4af30a7508532881dead990ef9dbc69f8a19a9275
                                                                                                                                    • Instruction Fuzzy Hash: C5C1AD74E00218CFDB14DFA5D994B9DBBB2FB89304F2480AAD809A7364DB359E85CF10
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 6a8ce31ff6e22e1bcf6e55dbecf47ec039cb0d2bab6f69bb03450ed6db3e1261
                                                                                                                                    • Instruction ID: d892fedd40cd768d4e28d23575250f6129750858589ec3bcecdda318c1446585
                                                                                                                                    • Opcode Fuzzy Hash: 6a8ce31ff6e22e1bcf6e55dbecf47ec039cb0d2bab6f69bb03450ed6db3e1261
                                                                                                                                    • Instruction Fuzzy Hash: 8EA13471D106198EDB10DFA9D8447DDFBB1EF99304F14D2AAE408A7221EB709A85CF51
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 919e5a3e6443451c025762460a11d7624ea58e66497611f0272a49c2c6681d73
                                                                                                                                    • Instruction ID: 61ee7015134d1a5a7f825886eae67a0dce38bf61c17b9b7a802b08688b75c3ab
                                                                                                                                    • Opcode Fuzzy Hash: 919e5a3e6443451c025762460a11d7624ea58e66497611f0272a49c2c6681d73
                                                                                                                                    • Instruction Fuzzy Hash: 32A12570D00218CFDB14DFA8D998BDDBBB1FF89304F249269E408A72A1DB749985CF64
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5722497844988c47741a5fe5a4164b7b597d854b841adff8e3641f05413311bc
                                                                                                                                    • Instruction ID: 805009cac30e0b929d98af4436af8caf19208cf88fad0da60a1ebe6b775c475b
                                                                                                                                    • Opcode Fuzzy Hash: 5722497844988c47741a5fe5a4164b7b597d854b841adff8e3641f05413311bc
                                                                                                                                    • Instruction Fuzzy Hash: 08A12470D00218CFDB14DFA9D898BDDBBB1FF89314F249269E408A72A1DB749985CF64
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 7424ecc3a1e115572e2233a9deefa6f0b663afa827c59aed40a162c5c51746a2
                                                                                                                                    • Instruction ID: b00983fc08aa8301ea7b20704710fde4080771861b5a9692aa8ecac80865d370
                                                                                                                                    • Opcode Fuzzy Hash: 7424ecc3a1e115572e2233a9deefa6f0b663afa827c59aed40a162c5c51746a2
                                                                                                                                    • Instruction Fuzzy Hash: 2391D170D00218CFDB10DFA8D998BDDBBB1FF59314F249269E409AB291DB749985CF24
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: bb5ddd83d5f82bb914ee6ceaa983e5344a884b21b4eab441f52758fe05996b3a
                                                                                                                                    • Instruction ID: 60ad9cb9b8fe08b76fa8fef0f199fe9724567dcad89699da3fc43c3b0a81d621
                                                                                                                                    • Opcode Fuzzy Hash: bb5ddd83d5f82bb914ee6ceaa983e5344a884b21b4eab441f52758fe05996b3a
                                                                                                                                    • Instruction Fuzzy Hash: 7941E574E01248CBEB18DFA6D85469EFBB2AF89304F24D12AD815AB354EB385946CF50
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                                                                                                    • API String ID: 0-1487592376
                                                                                                                                    • Opcode ID: f6070e854e0b893261d8c87d2eaa4717a7b6166b6cecb4ec9b3bd663d69eda66
                                                                                                                                    • Instruction ID: 51f5979f77d5c90c633e5956fac83432c7e9286fd78e799273a018030045b383
                                                                                                                                    • Opcode Fuzzy Hash: f6070e854e0b893261d8c87d2eaa4717a7b6166b6cecb4ec9b3bd663d69eda66
                                                                                                                                    • Instruction Fuzzy Hash: CF51D574E00218DFCB44DFA9E584A9DBBF2BF99314F248469E815AB364DB349946CF10
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 8cq$Hbq$Hbq$TJcq
                                                                                                                                    • API String ID: 0-2223066127
                                                                                                                                    • Opcode ID: 3484787f02b026a6005181fc0159dd5918fabe0255b184796c7803cc7ccba6e7
                                                                                                                                    • Instruction ID: c516ced2199d674139274c727416ac35f7e73ca090d97b19a599ff9384c9b1bb
                                                                                                                                    • Opcode Fuzzy Hash: 3484787f02b026a6005181fc0159dd5918fabe0255b184796c7803cc7ccba6e7
                                                                                                                                    • Instruction Fuzzy Hash: BAC1F231B002148FCB15DF68E890AADBBB6EF99334F184166E545DB3A1CB75DC82CB61
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Xbq$Xbq$Xbq$Xbq
                                                                                                                                    • API String ID: 0-2732225958
                                                                                                                                    • Opcode ID: d84e6dd04ce1eb9eff2f535817572a28b9b68d901f58a1e116707da042b83a83
                                                                                                                                    • Instruction ID: 92acd32ecba98d49d551bb2feba934b5f79104c2c5a7e5fb2142b4ed7ceb9fc4
                                                                                                                                    • Opcode Fuzzy Hash: d84e6dd04ce1eb9eff2f535817572a28b9b68d901f58a1e116707da042b83a83
                                                                                                                                    • Instruction Fuzzy Hash: 8FB12431E092A8DFEB175B3C44806E97FA69F67700F8AC8E5D48097526D6344D8FCB62
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: $Hbq$Hbq$Hbq
                                                                                                                                    • API String ID: 0-580995494
                                                                                                                                    • Opcode ID: 228c3e7086ea9e954f3d2c1f331d0c8894f45c4036fbb6f042264058a90dc762
                                                                                                                                    • Instruction ID: e86ebe24ace7ed665903f9864b348b0838c3af375621ba1cee91ea0b6723db15
                                                                                                                                    • Opcode Fuzzy Hash: 228c3e7086ea9e954f3d2c1f331d0c8894f45c4036fbb6f042264058a90dc762
                                                                                                                                    • Instruction Fuzzy Hash: 2471F630700258CBDF166F78A81866E3B92EFE5378F24461AE922973D0CF799D02D765
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: $Hbq$Hbq$Hbq
                                                                                                                                    • API String ID: 0-580995494
                                                                                                                                    • Opcode ID: 292691ee2ca58e1135d36a5128d8e3266977c85e57cec170e1422acb5285656f
                                                                                                                                    • Instruction ID: 8a83336364564aba895476e0893c758cd75356d945b8b2be097abd1f5b79f8ae
                                                                                                                                    • Opcode Fuzzy Hash: 292691ee2ca58e1135d36a5128d8e3266977c85e57cec170e1422acb5285656f
                                                                                                                                    • Instruction Fuzzy Hash: E251F530700258CBDB156F78A81826E3BA2EFE5364F24452AE526973D1CF78DD02C7A5
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 8cq$TJcq
                                                                                                                                    • API String ID: 0-1920894394
                                                                                                                                    • Opcode ID: 11064efacd1ba2fd139a72f5535428f1dbada0404ea070e5ede0b59cb94a228f
                                                                                                                                    • Instruction ID: 510a4af662844a43f7bdb6f1a339f6dca2e9a062522bf8e83224b5a7dadbd427
                                                                                                                                    • Opcode Fuzzy Hash: 11064efacd1ba2fd139a72f5535428f1dbada0404ea070e5ede0b59cb94a228f
                                                                                                                                    • Instruction Fuzzy Hash: CC413535A001188FCB04DB98D580EDDBBB6EF88334F195195E505AB3A5CB71EC86CFA1
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 8cq$TJcq
                                                                                                                                    • API String ID: 0-1920894394
                                                                                                                                    • Opcode ID: cb42b038520a2eae925541f08985ab380886b7e80cbaef78b45117d6384a0e54
                                                                                                                                    • Instruction ID: 7dac1cf198468e86e403f2d77db7d1eede4a6ae9170411fe752b2e631d6af382
                                                                                                                                    • Opcode Fuzzy Hash: cb42b038520a2eae925541f08985ab380886b7e80cbaef78b45117d6384a0e54
                                                                                                                                    • Instruction Fuzzy Hash: D8313735B001198FCB04EFA8D580E9DBBB2EF88324F195495E505AB366CB71EC85CBA1
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 8cq$TJcq
                                                                                                                                    • API String ID: 0-1920894394
                                                                                                                                    • Opcode ID: 22482ba51fc1b1353050a1586eafb26c0d8d2c590f1987433cdfadf5f7d4e5cf
                                                                                                                                    • Instruction ID: 5698c5071cce6b7ca9209857e4ee095e508842fbd9c350d6e439cdfd984dc53f
                                                                                                                                    • Opcode Fuzzy Hash: 22482ba51fc1b1353050a1586eafb26c0d8d2c590f1987433cdfadf5f7d4e5cf
                                                                                                                                    • Instruction Fuzzy Hash: 16313935B401198FCB04EFA8D580E9DBBB2EF88324F195454E505AB365CB71EC85CBA1
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Hbq$Hbq
                                                                                                                                    • API String ID: 0-4258043069
                                                                                                                                    • Opcode ID: 36f227c21f4742b6320e5582a561aca29886ae0cf91eeb4a99c1cc8b54edbc4b
                                                                                                                                    • Instruction ID: f85520a8673067c7bb7c83afbac6fcb008155292108030a02f0930a97a9973f7
                                                                                                                                    • Opcode Fuzzy Hash: 36f227c21f4742b6320e5582a561aca29886ae0cf91eeb4a99c1cc8b54edbc4b
                                                                                                                                    • Instruction Fuzzy Hash: D011BE31B001548FC7497A3C986933F669BBBD8B40B288479E106CB396CE398E03D3E5
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: LR^q
                                                                                                                                    • API String ID: 0-2625958711
                                                                                                                                    • Opcode ID: 855b7f35f69866180bb897867ab35ecdf5835d0c5a30994aebd9d82d93e85f0b
                                                                                                                                    • Instruction ID: 1ed4a38a1285ddfaa167f1fc815aab34a57126a43757643f36996d5c4ce01bfd
                                                                                                                                    • Opcode Fuzzy Hash: 855b7f35f69866180bb897867ab35ecdf5835d0c5a30994aebd9d82d93e85f0b
                                                                                                                                    • Instruction Fuzzy Hash: B4A1DF74A0030ACFCF05EFA8E995A9DBBB1FF94314B105529E405A7369DB70AD46CF80
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: LR^q
                                                                                                                                    • API String ID: 0-2625958711
                                                                                                                                    • Opcode ID: d44303aa6db68cdd21c11b40dfa3c4013f66f8d2294777bfd5f0b3a133a8a4e0
                                                                                                                                    • Instruction ID: d3d0e7ed4d296675a05bbab0f44c7b0ad1e7da1e92c2aed0e4e6184571abad2d
                                                                                                                                    • Opcode Fuzzy Hash: d44303aa6db68cdd21c11b40dfa3c4013f66f8d2294777bfd5f0b3a133a8a4e0
                                                                                                                                    • Instruction Fuzzy Hash: A3A1DF74A0030ACFCF05EFA8E994A9DBBB1FF98315B105529E405A7369DB70AD46CF80
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Hbq
                                                                                                                                    • API String ID: 0-1245868
                                                                                                                                    • Opcode ID: e22df634410d1e1ff561f1125535d88988f03665c1d02317cdb6522ca367374f
                                                                                                                                    • Instruction ID: fbff81bdb594f1197f9cf9394e44f150a4448751a48ed25663b77721d4653849
                                                                                                                                    • Opcode Fuzzy Hash: e22df634410d1e1ff561f1125535d88988f03665c1d02317cdb6522ca367374f
                                                                                                                                    • Instruction Fuzzy Hash: FF41E5357002499FCB05AFB8E8556AE7FB6EF89351B1444BAE549CB252DF348D02C7B0
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Hbq
                                                                                                                                    • API String ID: 0-1245868
                                                                                                                                    • Opcode ID: d682679c87bbe8d4f69d38352ab673714e4ba993967f3a19043db0d245233641
                                                                                                                                    • Instruction ID: 780488d7e2c232e8beb56a080dcf8126475c6ec3b3143fd12703952a053104a3
                                                                                                                                    • Opcode Fuzzy Hash: d682679c87bbe8d4f69d38352ab673714e4ba993967f3a19043db0d245233641
                                                                                                                                    • Instruction Fuzzy Hash: 09312431A042499FCB05EF78E8506BE3FB2EF59310B1041AAE449CB252DF348E42CBB0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 33966ece5505b65679ba2ed7e1579658a4c9fee38f35d60cb8547073e686dcb5
                                                                                                                                    • Instruction ID: 58cf800e7c4609e2046e5c22da1f29e9d5c3699e39351f7083fd4859a714ce9a
                                                                                                                                    • Opcode Fuzzy Hash: 33966ece5505b65679ba2ed7e1579658a4c9fee38f35d60cb8547073e686dcb5
                                                                                                                                    • Instruction Fuzzy Hash: 1561E076B00225DFCB248F7CE8419AEBBE6EFD8328B14952AE559D7350DA31DC01C7A0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 56e30b5c94a0600a81d3c5d573078f547a4a61b584562287bc294bd4675ba6d9
                                                                                                                                    • Instruction ID: 37ba3576786bf29cb56031b9d90a4b60174babc63ea27c676ed50b264148cf95
                                                                                                                                    • Opcode Fuzzy Hash: 56e30b5c94a0600a81d3c5d573078f547a4a61b584562287bc294bd4675ba6d9
                                                                                                                                    • Instruction Fuzzy Hash: 5941A474E01218DFCB08DFA9E884A9DBBB2FF99314F249429E405B7364DB349945CF64
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 86f61e6d039436140c8863967d5e22de33f8949fe26d2144ada43ba863c3b831
                                                                                                                                    • Instruction ID: 6dd9fc5faddbe6d9965c043887c06b084d928536abde8d31006cc10daca9fcfc
                                                                                                                                    • Opcode Fuzzy Hash: 86f61e6d039436140c8863967d5e22de33f8949fe26d2144ada43ba863c3b831
                                                                                                                                    • Instruction Fuzzy Hash: A431EA3002634F8FD2413B31B5AD57ABBB0FF0F32B7086C41E42A814129B3C298ACB61
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932004746.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_c9d000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 8b73a901c5d0cc71ff59a1401b25c89385a56ca7c266e4b02668f1808038a632
                                                                                                                                    • Instruction ID: 3ef893f4780e5001570460891353eff0779d49e1badbe87a1f51b980230354bf
                                                                                                                                    • Opcode Fuzzy Hash: 8b73a901c5d0cc71ff59a1401b25c89385a56ca7c266e4b02668f1808038a632
                                                                                                                                    • Instruction Fuzzy Hash: 6F316B7550D3C49FCB03CF24C994711BF71AB46214F29C5EBD9898F2A3C23A981ACB62
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: fadcf3f0c053019abee4dbeb1d30088fb6986c8950288d7f96e88b716b055aec
                                                                                                                                    • Instruction ID: d21dac6b14e5598293b054a782ba08544dc4133877f06cb3bfe90e8627d3a23b
                                                                                                                                    • Opcode Fuzzy Hash: fadcf3f0c053019abee4dbeb1d30088fb6986c8950288d7f96e88b716b055aec
                                                                                                                                    • Instruction Fuzzy Hash: 7421C475A00115AFCB14DF34D4509AE37A5EBBA768B14C01DD85E9B340EA34EE47CBE2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932004746.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_c9d000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: cb131bee52b430fa632ae2220fdff145a31595c344cadfa47036e0c5d64c6ca6
                                                                                                                                    • Instruction ID: e9266c49723c0a16e5dabf3835be5d867779473620c758cf2bf98b6a5b676ff3
                                                                                                                                    • Opcode Fuzzy Hash: cb131bee52b430fa632ae2220fdff145a31595c344cadfa47036e0c5d64c6ca6
                                                                                                                                    • Instruction Fuzzy Hash: FB210471504304DFDF14DF14DAC8B26BBA5FB84314F24C56DD80A5B296C33AD847CA62
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 06d1922d417599598bde17cb730ab7341a5a1f57488bf952603ac001110e5195
                                                                                                                                    • Instruction ID: acdf062d62066f16682afb76fd3751d7b60b6d3078a8ce8bc64fe48d57c59d9e
                                                                                                                                    • Opcode Fuzzy Hash: 06d1922d417599598bde17cb730ab7341a5a1f57488bf952603ac001110e5195
                                                                                                                                    • Instruction Fuzzy Hash: B321B070E042089FDB08EFB9D4557AEBBB2EF84308F0085B9E4059B386CB748A06CF50
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 57583bc3182e038ac491d2a89a81e9c7e8c75215f03f8aeb54ec428b937b47d2
                                                                                                                                    • Instruction ID: e99154a572d391b94ca513418b6768d5245447eb6a13d5cac905ebc85ebd91cb
                                                                                                                                    • Opcode Fuzzy Hash: 57583bc3182e038ac491d2a89a81e9c7e8c75215f03f8aeb54ec428b937b47d2
                                                                                                                                    • Instruction Fuzzy Hash: EA212875D0524A8FCB01DFB8D8845EEBFF0EF1A314F1445AAD405B7221EB348A56CBA1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: fd30eeb4454242ee41c1e6b9987f166aeecca030befba4c9ba40e2fadcacbd10
                                                                                                                                    • Instruction ID: e2686c8f8c3a77f1bcbb802f4453d30e596f1f899b57402d7f56e1fb88bc7512
                                                                                                                                    • Opcode Fuzzy Hash: fd30eeb4454242ee41c1e6b9987f166aeecca030befba4c9ba40e2fadcacbd10
                                                                                                                                    • Instruction Fuzzy Hash: 76118F363002148FD714DB69E984E16B7E6FF98725B14846AE149CB365CBB1EC05CB60
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: c559095faa256ff2e79ca8eeac61f6267cd7fe3c9c02340e5533fed4cb52de23
                                                                                                                                    • Instruction ID: da5cd98e63df050ae826d0f01f41d21e5d9e81893878608f41aaebe69825f37e
                                                                                                                                    • Opcode Fuzzy Hash: c559095faa256ff2e79ca8eeac61f6267cd7fe3c9c02340e5533fed4cb52de23
                                                                                                                                    • Instruction Fuzzy Hash: FC012432F103114FE724AAB5984827F67E7AFD8318318483AD909CB354FE74CC0247A2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 35f27ef26056610cbcab9869e1bfd363dd6496c140c1ebf66d56133f6b0f002a
                                                                                                                                    • Instruction ID: 0ffdfaef9fd1c0f309690eeb6fdb951b2c50e9c0c1af9d54e9af9e8e09c803ae
                                                                                                                                    • Opcode Fuzzy Hash: 35f27ef26056610cbcab9869e1bfd363dd6496c140c1ebf66d56133f6b0f002a
                                                                                                                                    • Instruction Fuzzy Hash: F701F131A882148FCF359A64E2405B9BB76EFB5308F1052BAE89287246DB35CC06CB60
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 35307ed1fdec06d13da67e94511f737c359d197302f11375dbdeeffd1b3c412b
                                                                                                                                    • Instruction ID: f12899e0b45c2b6760834533287c0a0c26702e82c1df1ef7842eefcb72cbff90
                                                                                                                                    • Opcode Fuzzy Hash: 35307ed1fdec06d13da67e94511f737c359d197302f11375dbdeeffd1b3c412b
                                                                                                                                    • Instruction Fuzzy Hash: FA018636F002155FD714AB79994867FB6EBAFD46683144939D909C7354FE70CC0247A2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 540f9ae0ef468ec5874119184471b2b4362d991b932780093ed3ad1825b355bf
                                                                                                                                    • Instruction ID: b2d47424014fb3f5b172c0f1e0b94ad5ba4fe0605097f304b0ccbd37d750bf84
                                                                                                                                    • Opcode Fuzzy Hash: 540f9ae0ef468ec5874119184471b2b4362d991b932780093ed3ad1825b355bf
                                                                                                                                    • Instruction Fuzzy Hash: E7F028313042689BCB061B747C184AE3FAAEFCA32171444ABF549CB382CE79CC42C7A1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 01123da816458c4d4a646281933a493cdf4613eab6c7ca1d623366d94cc91013
                                                                                                                                    • Instruction ID: 0249c7329fb9d2e094a3f23c919032fe067e27741a6c81f2433e12c1aa52cb6f
                                                                                                                                    • Opcode Fuzzy Hash: 01123da816458c4d4a646281933a493cdf4613eab6c7ca1d623366d94cc91013
                                                                                                                                    • Instruction Fuzzy Hash: EA017175A00129AFCF10DF68F8549EF7BB5EB98314B00412AF95997241D7384D50CBA2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 9feabe8c6e54276ad1001552bf96787993dcb93c649737a2629965553ee8c228
                                                                                                                                    • Instruction ID: 19f97b594f7826a4175f0960f587ac3ae92d225a032e56faa51abeeea9ad544f
                                                                                                                                    • Opcode Fuzzy Hash: 9feabe8c6e54276ad1001552bf96787993dcb93c649737a2629965553ee8c228
                                                                                                                                    • Instruction Fuzzy Hash: C1015E75E0021D9FCF54DF69E8485AF7BB5FB88354B104429EA1A97341DB389D10CBA1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 30fafd97038eeebfcc965e38b1759a95b8fed4521aef5a6daca3103dea6dd18f
                                                                                                                                    • Instruction ID: 047dfe738912ee3b40bd54cfcbfe874ded27d2046d9af2da08e9b545d29b6957
                                                                                                                                    • Opcode Fuzzy Hash: 30fafd97038eeebfcc965e38b1759a95b8fed4521aef5a6daca3103dea6dd18f
                                                                                                                                    • Instruction Fuzzy Hash: 93017C317002108FD714DB29E988B26B7E6FF98725F1584AAE14A8F365CBB1EC05CB60
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 433d9f5bd4e3bff0992b364561f49c1d73925d726609253ba82f1e5be0b32b53
                                                                                                                                    • Instruction ID: 7fdb4d36d2dd36726789deaac760e2fe276faa8d3c744040c6525bee350cb1a5
                                                                                                                                    • Opcode Fuzzy Hash: 433d9f5bd4e3bff0992b364561f49c1d73925d726609253ba82f1e5be0b32b53
                                                                                                                                    • Instruction Fuzzy Hash: 22F02032B002208BCB1A666AF82196EB7AADFC433470400BBF108DB351CF32DC0287B0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: fbe59b93e91da7c8ca7a76b9bcb5641dd7e76fab917266dbad0b47a8419d95a5
                                                                                                                                    • Instruction ID: 8076294427212455ac70d1f60d71322504e6682e4d1b17a2676023c0f8cceeb7
                                                                                                                                    • Opcode Fuzzy Hash: fbe59b93e91da7c8ca7a76b9bcb5641dd7e76fab917266dbad0b47a8419d95a5
                                                                                                                                    • Instruction Fuzzy Hash: 9CF0F035A01205AF8B10CF79E9419EEFBF6FB98350B14412AE648D3200DB309A61CBE1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 1f996cca6f804b15bda0134ea30a81894c70134412daa383cd530b5c49bad361
                                                                                                                                    • Instruction ID: c7d6c6c4a5ba51b463c0d840ed68ffa77cb3f190d250703c34af32ac262277ad
                                                                                                                                    • Opcode Fuzzy Hash: 1f996cca6f804b15bda0134ea30a81894c70134412daa383cd530b5c49bad361
                                                                                                                                    • Instruction Fuzzy Hash: B8F01574569B428FD3022B70BCAC7AE7F70EF0B30BB462C46F00A80072CB600406CB20
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 839fa20b6324d536e0ab11542f854fc25c06f9a7856915923604e1d2f0481a24
                                                                                                                                    • Instruction ID: bfdf362f2be7233797b2b8148e1188d41038fa33a25af7b28d0780808240fd5f
                                                                                                                                    • Opcode Fuzzy Hash: 839fa20b6324d536e0ab11542f854fc25c06f9a7856915923604e1d2f0481a24
                                                                                                                                    • Instruction Fuzzy Hash: A3F0DA353405159FC700DF69D484D6ABBAAFF88725765806AFA0987331CB719C11CB90
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 7dd83f98484440b846240389959cbd17a6b77b229ccc40a16f74eae038e118f2
                                                                                                                                    • Instruction ID: cf9a9e253d590e1ecad21ef5b81eadbcbebf05f1d5152d7f8ad94b4fddfd6a03
                                                                                                                                    • Opcode Fuzzy Hash: 7dd83f98484440b846240389959cbd17a6b77b229ccc40a16f74eae038e118f2
                                                                                                                                    • Instruction Fuzzy Hash: E8F08271E002089F8B50DFAED84099FFBF5FB98350B10453AE509D3211E770AA158BE1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 337682ec6896bfa6ba9a822cfbbb565a1e72eaeea77eb37f314f79d425b58078
                                                                                                                                    • Instruction ID: 653f1b7aee8ec80a68c7087838f8014828641e530969e37c6a7dd160d3f486a6
                                                                                                                                    • Opcode Fuzzy Hash: 337682ec6896bfa6ba9a822cfbbb565a1e72eaeea77eb37f314f79d425b58078
                                                                                                                                    • Instruction Fuzzy Hash: 66E012313451159FC7019F59E584DAABBAAFF98725B55803AF60987230CBB58C15CB90
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5f80f276e4b2a5e59d3092f3668bdb1ad8e5440807dae1da73698c6c89cb4863
                                                                                                                                    • Instruction ID: ef78b2a48522395f6fa3e3c7730bd9fb857bcff9aa884cd6f57f95bfa04a3245
                                                                                                                                    • Opcode Fuzzy Hash: 5f80f276e4b2a5e59d3092f3668bdb1ad8e5440807dae1da73698c6c89cb4863
                                                                                                                                    • Instruction Fuzzy Hash: CFE00934462B068FD3162B65FDAC77E7A65FB0B317B856D02B51E81132CF7044558B64
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 53e784630a4cfc4205edc09abbb758e041f28f9f2c3cb82c4ef11980ecd6ca24
                                                                                                                                    • Instruction ID: 71044bc15ab66cc1669e175df8e81e0bd0891b2a09984653e5f76fcbeaaccd3a
                                                                                                                                    • Opcode Fuzzy Hash: 53e784630a4cfc4205edc09abbb758e041f28f9f2c3cb82c4ef11980ecd6ca24
                                                                                                                                    • Instruction Fuzzy Hash: 71E02635D60237CBCB02EBB1E8800DDB334AD91220B544327C0A873C50EB34120FCAA2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: d2111ea2b25a967978df3d655b2524f84a14ec1251c66179f0cecaa0d96332ea
                                                                                                                                    • Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
                                                                                                                                    • Opcode Fuzzy Hash: d2111ea2b25a967978df3d655b2524f84a14ec1251c66179f0cecaa0d96332ea
                                                                                                                                    • Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: b5e2607084fbae663a511928c55cd0531931cc6a4657c4db0d9069766e23a93e
                                                                                                                                    • Instruction ID: 7438dda2dc0fe354b04c6597b156f477890182d31cb4e8584d44c4e4d51e269a
                                                                                                                                    • Opcode Fuzzy Hash: b5e2607084fbae663a511928c55cd0531931cc6a4657c4db0d9069766e23a93e
                                                                                                                                    • Instruction Fuzzy Hash: 94B092E684D7D58FD3078B605C334C27F75A562214BC948CFC184D9143E91C060AC312
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000009.00000002.2932444378.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_9_2_d20000_Order_12232024.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Xbq$Xbq$Xbq$Xbq
                                                                                                                                    • API String ID: 0-2732225958
                                                                                                                                    • Opcode ID: 70163ec29d4e45fe22617a89ed6d314dad8873db16760f3b153793bd3aeb503e
                                                                                                                                    • Instruction ID: 89dfb0c624eb4702fa979701622fda4fc0f46969c2c85f285b58c6025a3d4db3
                                                                                                                                    • Opcode Fuzzy Hash: 70163ec29d4e45fe22617a89ed6d314dad8873db16760f3b153793bd3aeb503e
                                                                                                                                    • Instruction Fuzzy Hash: 33318234E0023A8BDF64CB69958036EB7F2AFB5315F1980B5C445A7254EB30CD81CBA2

                                                                                                                                    Execution Graph

                                                                                                                                    Execution Coverage:8.7%
                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                    Signature Coverage:0%
                                                                                                                                    Total number of Nodes:163
                                                                                                                                    Total number of Limit Nodes:11
                                                                                                                                    execution_graph 26017 192ecd8 26020 192edc2 26017->26020 26018 192ece7 26021 192ee04 26020->26021 26022 192ede1 26020->26022 26021->26018 26022->26021 26023 192f008 GetModuleHandleW 26022->26023 26024 192f035 26023->26024 26024->26018 26025 1924668 26026 1924669 26025->26026 26027 1924686 26026->26027 26029 1924779 26026->26029 26030 192479d 26029->26030 26034 1924888 26030->26034 26038 1924879 26030->26038 26031 19247a7 26031->26027 26035 19248af 26034->26035 26036 192498c 26035->26036 26042 19244c4 26035->26042 26036->26031 26039 19248af 26038->26039 26040 192498c 26039->26040 26041 19244c4 CreateActCtxA 26039->26041 26040->26031 26041->26040 26043 1925918 CreateActCtxA 26042->26043 26045 19259db 26043->26045 26046 79aa061 26047 79aa06b 26046->26047 26048 79aa321 26046->26048 26051 79ab500 26047->26051 26057 79ab4f0 26047->26057 26052 79ab51a 26051->26052 26063 79ab882 26052->26063 26079 79ab850 26052->26079 26094 79ab790 26052->26094 26053 79ab53e 26053->26048 26058 79ab500 26057->26058 26060 79ab882 12 API calls 26058->26060 26061 79ab790 12 API calls 26058->26061 26062 79ab850 12 API calls 26058->26062 26059 79ab53e 26059->26048 26060->26059 26061->26059 26062->26059 26064 79ab84e 26063->26064 26065 79ab88a 26063->26065 26110 79abacb 26064->26110 26116 79ac304 26064->26116 26122 79ab994 26064->26122 26128 79abbe7 26064->26128 26133 79ac157 26064->26133 26138 79aba23 26064->26138 26143 79aba62 26064->26143 26147 79abb8d 26064->26147 26155 79abbcc 26064->26155 26160 79abe8e 26064->26160 26165 79ab97e 26064->26165 26170 79abad8 26064->26170 26065->26053 26066 79ab877 26066->26053 26080 79ab865 26079->26080 26082 79abacb 2 API calls 26080->26082 26083 79abad8 2 API calls 26080->26083 26084 79ab97e 2 API calls 26080->26084 26085 79abe8e 2 API calls 26080->26085 26086 79abbcc 2 API calls 26080->26086 26087 79abb8d 4 API calls 26080->26087 26088 79aba62 2 API calls 26080->26088 26089 79aba23 2 API calls 26080->26089 26090 79ac157 2 API calls 26080->26090 26091 79abbe7 2 API calls 26080->26091 26092 79ab994 2 API calls 26080->26092 26093 79ac304 2 API calls 26080->26093 26081 79ab877 26081->26053 26082->26081 26083->26081 26084->26081 26085->26081 26086->26081 26087->26081 26088->26081 26089->26081 26090->26081 26091->26081 26092->26081 26093->26081 26095 79ab78d 26094->26095 26095->26094 26097 79ab796 26095->26097 26098 79abacb 2 API calls 26095->26098 26099 79abad8 2 API calls 26095->26099 26100 79ab97e 2 API calls 26095->26100 26101 79abe8e 2 API calls 26095->26101 26102 79abbcc 2 API calls 26095->26102 26103 79abb8d 4 API calls 26095->26103 26104 79aba62 2 API calls 26095->26104 26105 79aba23 2 API calls 26095->26105 26106 79ac157 2 API calls 26095->26106 26107 79abbe7 2 API calls 26095->26107 26108 79ab994 2 API calls 26095->26108 26109 79ac304 2 API calls 26095->26109 26096 79ab877 26096->26053 26097->26053 26098->26096 26099->26096 26100->26096 26101->26096 26102->26096 26103->26096 26104->26096 26105->26096 26106->26096 26107->26096 26108->26096 26109->26096 26112 79abbb1 26110->26112 26111 79abde5 26111->26066 26112->26111 26174 79a9159 26112->26174 26178 79a9160 26112->26178 26113 79abf49 26113->26066 26117 79ac314 26116->26117 26118 79abc9a 26116->26118 26118->26116 26119 79ac26b 26118->26119 26120 79a9159 WriteProcessMemory 26118->26120 26121 79a9160 WriteProcessMemory 26118->26121 26120->26118 26121->26118 26124 79ab987 26122->26124 26123 79ac46f 26124->26123 26182 79a9c20 26124->26182 26186 79a9c14 26124->26186 26129 79abbed 26128->26129 26190 79a8f18 26129->26190 26194 79a8f12 26129->26194 26130 79abc13 26130->26066 26134 79ac231 26133->26134 26198 79a8fc8 26134->26198 26202 79a8fc2 26134->26202 26135 79ac24c 26135->26066 26139 79abc32 26138->26139 26206 79a9099 26139->26206 26210 79a90a0 26139->26210 26140 79aba0b 26214 79a9648 26143->26214 26218 79a9650 26143->26218 26144 79aba84 26144->26066 26148 79abb92 26147->26148 26149 79abbe3 26148->26149 26151 79a8fc8 Wow64SetThreadContext 26148->26151 26152 79a8fc2 Wow64SetThreadContext 26148->26152 26150 79abc13 26149->26150 26153 79a8f18 ResumeThread 26149->26153 26154 79a8f12 ResumeThread 26149->26154 26150->26066 26151->26149 26152->26149 26153->26150 26154->26150 26156 79abbd2 26155->26156 26158 79a8f18 ResumeThread 26156->26158 26159 79a8f12 ResumeThread 26156->26159 26157 79abc13 26157->26066 26158->26157 26159->26157 26161 79abc9a 26160->26161 26162 79ac26b 26161->26162 26163 79a9159 WriteProcessMemory 26161->26163 26164 79a9160 WriteProcessMemory 26161->26164 26163->26161 26164->26161 26166 79ab987 26165->26166 26168 79a9c20 CreateProcessA 26166->26168 26169 79a9c14 CreateProcessA 26166->26169 26167 79ab9ec 26167->26066 26168->26167 26169->26167 26172 79a9159 WriteProcessMemory 26170->26172 26173 79a9160 WriteProcessMemory 26170->26173 26171 79abb06 26171->26066 26172->26171 26173->26171 26175 79a9160 WriteProcessMemory 26174->26175 26177 79a91ff 26175->26177 26177->26113 26179 79a91a8 WriteProcessMemory 26178->26179 26181 79a91ff 26179->26181 26181->26113 26183 79a9ca9 CreateProcessA 26182->26183 26185 79a9e6b 26183->26185 26185->26185 26187 79a9ca9 CreateProcessA 26186->26187 26189 79a9e6b 26187->26189 26189->26189 26191 79a8f58 ResumeThread 26190->26191 26193 79a8f89 26191->26193 26193->26130 26195 79a8f18 ResumeThread 26194->26195 26197 79a8f89 26195->26197 26197->26130 26199 79a900d Wow64SetThreadContext 26198->26199 26201 79a9055 26199->26201 26201->26135 26203 79a8fc8 Wow64SetThreadContext 26202->26203 26205 79a9055 26203->26205 26205->26135 26207 79a90a0 VirtualAllocEx 26206->26207 26209 79a911d 26207->26209 26209->26140 26211 79a90e0 VirtualAllocEx 26210->26211 26213 79a911d 26211->26213 26213->26140 26215 79a9650 ReadProcessMemory 26214->26215 26217 79a96df 26215->26217 26217->26144 26219 79a969b ReadProcessMemory 26218->26219 26221 79a96df 26219->26221 26221->26144 26222 79ac687 26225 79ac6a9 26222->26225 26223 79ac6df 26225->26223 26226 79a930c 26225->26226 26227 79ac980 PostMessageW 26226->26227 26228 79ac9ec 26227->26228 26228->26225

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1241 79a9c14-79a9cb5 1243 79a9cee-79a9d0e 1241->1243 1244 79a9cb7-79a9cc1 1241->1244 1249 79a9d10-79a9d1a 1243->1249 1250 79a9d47-79a9d76 1243->1250 1244->1243 1245 79a9cc3-79a9cc5 1244->1245 1247 79a9ce8-79a9ceb 1245->1247 1248 79a9cc7-79a9cd1 1245->1248 1247->1243 1251 79a9cd3 1248->1251 1252 79a9cd5-79a9ce4 1248->1252 1249->1250 1253 79a9d1c-79a9d1e 1249->1253 1260 79a9d78-79a9d82 1250->1260 1261 79a9daf-79a9e69 CreateProcessA 1250->1261 1251->1252 1252->1252 1254 79a9ce6 1252->1254 1255 79a9d20-79a9d2a 1253->1255 1256 79a9d41-79a9d44 1253->1256 1254->1247 1258 79a9d2e-79a9d3d 1255->1258 1259 79a9d2c 1255->1259 1256->1250 1258->1258 1262 79a9d3f 1258->1262 1259->1258 1260->1261 1263 79a9d84-79a9d86 1260->1263 1272 79a9e6b-79a9e71 1261->1272 1273 79a9e72-79a9ef8 1261->1273 1262->1256 1265 79a9d88-79a9d92 1263->1265 1266 79a9da9-79a9dac 1263->1266 1267 79a9d96-79a9da5 1265->1267 1268 79a9d94 1265->1268 1266->1261 1267->1267 1269 79a9da7 1267->1269 1268->1267 1269->1266 1272->1273 1283 79a9efa-79a9efe 1273->1283 1284 79a9f08-79a9f0c 1273->1284 1283->1284 1285 79a9f00 1283->1285 1286 79a9f0e-79a9f12 1284->1286 1287 79a9f1c-79a9f20 1284->1287 1285->1284 1286->1287 1288 79a9f14 1286->1288 1289 79a9f22-79a9f26 1287->1289 1290 79a9f30-79a9f34 1287->1290 1288->1287 1289->1290 1291 79a9f28 1289->1291 1292 79a9f46-79a9f4d 1290->1292 1293 79a9f36-79a9f3c 1290->1293 1291->1290 1294 79a9f4f-79a9f5e 1292->1294 1295 79a9f64 1292->1295 1293->1292 1294->1295 1297 79a9f65 1295->1297 1297->1297
                                                                                                                                    APIs
                                                                                                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 079A9E56
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1776549307.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_79a0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateProcess
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 963392458-0
                                                                                                                                    • Opcode ID: b208cb0efeb9b7d1e2eedf8ceaf4eacc37609f1355a7ef0753b17f65589270b8
                                                                                                                                    • Instruction ID: 8f4b31d027b32e4782b42e4a4d6b31cd1bae7ac0cc81def67d70fa3515650e5c
                                                                                                                                    • Opcode Fuzzy Hash: b208cb0efeb9b7d1e2eedf8ceaf4eacc37609f1355a7ef0753b17f65589270b8
                                                                                                                                    • Instruction Fuzzy Hash: 85917EB1D0121ADFDF10CFA8C8457EDBBB6BF44314F1485A9E809A7240DB74A985CF91

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1298 79a9c20-79a9cb5 1300 79a9cee-79a9d0e 1298->1300 1301 79a9cb7-79a9cc1 1298->1301 1306 79a9d10-79a9d1a 1300->1306 1307 79a9d47-79a9d76 1300->1307 1301->1300 1302 79a9cc3-79a9cc5 1301->1302 1304 79a9ce8-79a9ceb 1302->1304 1305 79a9cc7-79a9cd1 1302->1305 1304->1300 1308 79a9cd3 1305->1308 1309 79a9cd5-79a9ce4 1305->1309 1306->1307 1310 79a9d1c-79a9d1e 1306->1310 1317 79a9d78-79a9d82 1307->1317 1318 79a9daf-79a9e69 CreateProcessA 1307->1318 1308->1309 1309->1309 1311 79a9ce6 1309->1311 1312 79a9d20-79a9d2a 1310->1312 1313 79a9d41-79a9d44 1310->1313 1311->1304 1315 79a9d2e-79a9d3d 1312->1315 1316 79a9d2c 1312->1316 1313->1307 1315->1315 1319 79a9d3f 1315->1319 1316->1315 1317->1318 1320 79a9d84-79a9d86 1317->1320 1329 79a9e6b-79a9e71 1318->1329 1330 79a9e72-79a9ef8 1318->1330 1319->1313 1322 79a9d88-79a9d92 1320->1322 1323 79a9da9-79a9dac 1320->1323 1324 79a9d96-79a9da5 1322->1324 1325 79a9d94 1322->1325 1323->1318 1324->1324 1326 79a9da7 1324->1326 1325->1324 1326->1323 1329->1330 1340 79a9efa-79a9efe 1330->1340 1341 79a9f08-79a9f0c 1330->1341 1340->1341 1342 79a9f00 1340->1342 1343 79a9f0e-79a9f12 1341->1343 1344 79a9f1c-79a9f20 1341->1344 1342->1341 1343->1344 1345 79a9f14 1343->1345 1346 79a9f22-79a9f26 1344->1346 1347 79a9f30-79a9f34 1344->1347 1345->1344 1346->1347 1348 79a9f28 1346->1348 1349 79a9f46-79a9f4d 1347->1349 1350 79a9f36-79a9f3c 1347->1350 1348->1347 1351 79a9f4f-79a9f5e 1349->1351 1352 79a9f64 1349->1352 1350->1349 1351->1352 1354 79a9f65 1352->1354 1354->1354
                                                                                                                                    APIs
                                                                                                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 079A9E56
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1776549307.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_79a0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateProcess
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 963392458-0
                                                                                                                                    • Opcode ID: 7d31776dc61bfadca38180233168d67c0cd750de8520d7d6e239d0875f7a00d5
                                                                                                                                    • Instruction ID: 24f05e85b2b5030b4d0ff5a7a3b36987b731ea3ee825aa79c1a480250f210c65
                                                                                                                                    • Opcode Fuzzy Hash: 7d31776dc61bfadca38180233168d67c0cd750de8520d7d6e239d0875f7a00d5
                                                                                                                                    • Instruction Fuzzy Hash: BA916EB1D0125ADFDF10CFA8C8417DDBBB6BF44324F1485A9E809A7240DB74A985CF92

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1355 192edc2-192eddf 1356 192ede1-192edee call 192e794 1355->1356 1357 192ee0b-192ee0f 1355->1357 1364 192edf0 1356->1364 1365 192ee04 1356->1365 1359 192ee23-192ee64 1357->1359 1360 192ee11-192ee1b 1357->1360 1366 192ee71-192ee7f 1359->1366 1367 192ee66-192ee6e 1359->1367 1360->1359 1411 192edf6 call 192f058 1364->1411 1412 192edf6 call 192f068 1364->1412 1365->1357 1368 192eea3-192eea5 1366->1368 1369 192ee81-192ee86 1366->1369 1367->1366 1374 192eea8-192eeaf 1368->1374 1371 192ee91 1369->1371 1372 192ee88-192ee8f call 192e7a0 1369->1372 1370 192edfc-192edfe 1370->1365 1373 192ef40-192f000 1370->1373 1378 192ee93-192eea1 1371->1378 1372->1378 1406 192f002-192f005 1373->1406 1407 192f008-192f033 GetModuleHandleW 1373->1407 1375 192eeb1-192eeb9 1374->1375 1376 192eebc-192eec3 1374->1376 1375->1376 1379 192eed0-192eed9 call 192e7b0 1376->1379 1380 192eec5-192eecd 1376->1380 1378->1374 1386 192eee6-192eeeb 1379->1386 1387 192eedb-192eee3 1379->1387 1380->1379 1388 192ef09-192ef16 1386->1388 1389 192eeed-192eef4 1386->1389 1387->1386 1395 192ef18-192ef36 1388->1395 1396 192ef39-192ef3f 1388->1396 1389->1388 1391 192eef6-192ef06 call 192e7c0 call 192e7d0 1389->1391 1391->1388 1395->1396 1406->1407 1408 192f035-192f03b 1407->1408 1409 192f03c-192f050 1407->1409 1408->1409 1411->1370 1412->1370
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0192F026
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1770313739.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_1920000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleModule
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                    • Opcode ID: f63d545742b9452b860b7a7a244a5f6843090edcf4fe7d8a4c7b3fce253de749
                                                                                                                                    • Instruction ID: 14411814c9457d4093f0d384531672b4e84d247da863d8e941659ec5c821b7c9
                                                                                                                                    • Opcode Fuzzy Hash: f63d545742b9452b860b7a7a244a5f6843090edcf4fe7d8a4c7b3fce253de749
                                                                                                                                    • Instruction Fuzzy Hash: 25813470A00B168FD724DF29D484B9ABBF5FF88300F04892ED48ADBA55D775E849CB91

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1521 192590c-19259d9 CreateActCtxA 1523 19259e2-1925a3c 1521->1523 1524 19259db-19259e1 1521->1524 1531 1925a4b-1925a4f 1523->1531 1532 1925a3e-1925a41 1523->1532 1524->1523 1533 1925a60 1531->1533 1534 1925a51-1925a5d 1531->1534 1532->1531 1536 1925a61 1533->1536 1534->1533 1536->1536
                                                                                                                                    APIs
                                                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 019259C9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1770313739.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_1920000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Create
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                    • Opcode ID: d1c3933bcaae5188356fc08719fac99d31fb320600f22f60ece3e9e2d881903b
                                                                                                                                    • Instruction ID: 320364bd9f47622d18189d2152a943929af283f587a2c7958d5c9f5344be4ebd
                                                                                                                                    • Opcode Fuzzy Hash: d1c3933bcaae5188356fc08719fac99d31fb320600f22f60ece3e9e2d881903b
                                                                                                                                    • Instruction Fuzzy Hash: 5441E2B0D00719CFDB24CFA9C885ADDBBF5BF89304F24806AD408AB255DB755946CF90

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1537 19244c4-19259d9 CreateActCtxA 1540 19259e2-1925a3c 1537->1540 1541 19259db-19259e1 1537->1541 1548 1925a4b-1925a4f 1540->1548 1549 1925a3e-1925a41 1540->1549 1541->1540 1550 1925a60 1548->1550 1551 1925a51-1925a5d 1548->1551 1549->1548 1553 1925a61 1550->1553 1551->1550 1553->1553
                                                                                                                                    APIs
                                                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 019259C9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1770313739.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_1920000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Create
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                    • Opcode ID: 171326b5c165d58c8f9b85446692e9597be246aa01e1e7ee3a8d91cd99583f53
                                                                                                                                    • Instruction ID: caa5d14ee943760d75c67f23ba4b58eb9de64f637e68f8611b429c28047752bd
                                                                                                                                    • Opcode Fuzzy Hash: 171326b5c165d58c8f9b85446692e9597be246aa01e1e7ee3a8d91cd99583f53
                                                                                                                                    • Instruction Fuzzy Hash: D441DFB0C00729CBDB24DFAAC884BDEBBF5BF49304F64806AD408AB255DB756945CF90

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1554 79a9159-79a91ae 1557 79a91be-79a91fd WriteProcessMemory 1554->1557 1558 79a91b0-79a91bc 1554->1558 1560 79a91ff-79a9205 1557->1560 1561 79a9206-79a9236 1557->1561 1558->1557 1560->1561
                                                                                                                                    APIs
                                                                                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 079A91F0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1776549307.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_79a0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MemoryProcessWrite
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3559483778-0
                                                                                                                                    • Opcode ID: f61fe1e09a5324400bd56ff64dfde4c79de65791bc14704fccd6768296203d19
                                                                                                                                    • Instruction ID: bc7f141de535637b9744ce30986a3faca17fa95dcb0c454ba0171dc7461ef68f
                                                                                                                                    • Opcode Fuzzy Hash: f61fe1e09a5324400bd56ff64dfde4c79de65791bc14704fccd6768296203d19
                                                                                                                                    • Instruction Fuzzy Hash: 802177B19003599FCB10DFA9C885BDEBBF5FF48320F10842AE918A7240C778A944CBA0

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1565 79a9160-79a91ae 1567 79a91be-79a91fd WriteProcessMemory 1565->1567 1568 79a91b0-79a91bc 1565->1568 1570 79a91ff-79a9205 1567->1570 1571 79a9206-79a9236 1567->1571 1568->1567 1570->1571
                                                                                                                                    APIs
                                                                                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 079A91F0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1776549307.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_79a0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MemoryProcessWrite
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3559483778-0
                                                                                                                                    • Opcode ID: 596c7a8579901914a21a86d31034685c5e1c925619f59c56fbaeba4faec4f4f3
                                                                                                                                    • Instruction ID: aba0297fceda0522267c9b42e8eef9afe4c895707aaffc23705c64f528f23aef
                                                                                                                                    • Opcode Fuzzy Hash: 596c7a8579901914a21a86d31034685c5e1c925619f59c56fbaeba4faec4f4f3
                                                                                                                                    • Instruction Fuzzy Hash: 4E2119B19003599FCF10DFA9C885BDEBBF5FF48324F10842AE959A7250C778A954CBA4

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1575 79a9648-79a96dd ReadProcessMemory 1579 79a96df-79a96e5 1575->1579 1580 79a96e6-79a9716 1575->1580 1579->1580
                                                                                                                                    APIs
                                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 079A96D0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1776549307.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_79a0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MemoryProcessRead
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1726664587-0
                                                                                                                                    • Opcode ID: f702caac98da0fad4785c4916450d4f6c13b38a0e9866b0774ae0d3754630bff
                                                                                                                                    • Instruction ID: 6c04c20cc60fe9f8f6ba55c844e6be7d61e1880e07ef53467d3f87aea59d02a2
                                                                                                                                    • Opcode Fuzzy Hash: f702caac98da0fad4785c4916450d4f6c13b38a0e9866b0774ae0d3754630bff
                                                                                                                                    • Instruction Fuzzy Hash: 912116B19002599FCB10DFAAC885AEEBBF5FF48324F508429E959A7250C738A544DBA4

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1584 79a8fc2-79a9013 1587 79a9023-79a9053 Wow64SetThreadContext 1584->1587 1588 79a9015-79a9021 1584->1588 1590 79a905c-79a908c 1587->1590 1591 79a9055-79a905b 1587->1591 1588->1587 1591->1590
                                                                                                                                    APIs
                                                                                                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 079A9046
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1776549307.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_79a0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ContextThreadWow64
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 983334009-0
                                                                                                                                    • Opcode ID: ca1f43f373586a642cff97ad07bf62341ab6ca5ca181baac780d4cb214495271
                                                                                                                                    • Instruction ID: 5ea2187f7af7c21f4dd24925e0117a063a53e8688fa912a02da7e8275ba75c0f
                                                                                                                                    • Opcode Fuzzy Hash: ca1f43f373586a642cff97ad07bf62341ab6ca5ca181baac780d4cb214495271
                                                                                                                                    • Instruction Fuzzy Hash: 062138B19003199FDB10DFAAC4857EEBBF4EF88364F548429D559A7240CB78A944CFA4
                                                                                                                                    APIs
                                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 079A96D0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1776549307.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_79a0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MemoryProcessRead
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1726664587-0
                                                                                                                                    • Opcode ID: 22c9e8ef0f358ec7b7a4a56f35bb55775cee146833afa6e6c807e72097de05f6
                                                                                                                                    • Instruction ID: 68b59566aa59fb9fdf699e27bb506e45fc58d72b9107b3f30cc6835ac31606b3
                                                                                                                                    • Opcode Fuzzy Hash: 22c9e8ef0f358ec7b7a4a56f35bb55775cee146833afa6e6c807e72097de05f6
                                                                                                                                    • Instruction Fuzzy Hash: 3E2139B1C003599FCB10DFAAC840AEEFBF5FF48324F508429E558A7250C734A544CBA4
                                                                                                                                    APIs
                                                                                                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 079A9046
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1776549307.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_79a0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ContextThreadWow64
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 983334009-0
                                                                                                                                    • Opcode ID: b758440ff9c228a24e5023f857e8b4d6d320ad75ee3437d7df54e3b8af861309
                                                                                                                                    • Instruction ID: 778b8cc03ed9b0845d4cf193a2a0b1b1e72aeba891b5c77b53127ce18071f46c
                                                                                                                                    • Opcode Fuzzy Hash: b758440ff9c228a24e5023f857e8b4d6d320ad75ee3437d7df54e3b8af861309
                                                                                                                                    • Instruction Fuzzy Hash: A02138B19003199FDB10DFAAC4857EEBBF4EF88324F108429D559A7240CB78A944CFA4
                                                                                                                                    APIs
                                                                                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079A910E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1776549307.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_79a0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                    • Opcode ID: 64d9693fa22b4e3a507fdedf3354e1cda55b6f972c544a0467e1e78f60291723
                                                                                                                                    • Instruction ID: 34f5d72a10c0c04da9716bc200df7c77ded4d5a339f519a9bc57f74a5bbf62de
                                                                                                                                    • Opcode Fuzzy Hash: 64d9693fa22b4e3a507fdedf3354e1cda55b6f972c544a0467e1e78f60291723
                                                                                                                                    • Instruction Fuzzy Hash: EB116AB29002499FCB10DFA9C845BDFBFF5EF48324F248419E515A7250C735A544CFA0
                                                                                                                                    APIs
                                                                                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079A910E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1776549307.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_79a0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                    • Opcode ID: d69f3b9f475dd9ee96823c85fb6833b724637c6dedfa25a2dcd09c8e6d7c5b5c
                                                                                                                                    • Instruction ID: 764c9c30e408643ee2adc9d48b528a1c02c122e9cb768cb780479b8616b1b22a
                                                                                                                                    • Opcode Fuzzy Hash: d69f3b9f475dd9ee96823c85fb6833b724637c6dedfa25a2dcd09c8e6d7c5b5c
                                                                                                                                    • Instruction Fuzzy Hash: EB1137B19002499FCB10DFAAC845BEEBFF5EF88324F208829E559A7250C775A544CFA4
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1776549307.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_79a0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ResumeThread
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 947044025-0
                                                                                                                                    • Opcode ID: 3cb3ab09f8e7b0299e6a6b7c106004b7df73c88a49e418dd358660d655df68c6
                                                                                                                                    • Instruction ID: 78ac55b909feec7fe1185673d9806fb8cdd004b433911da209266b99c0a25466
                                                                                                                                    • Opcode Fuzzy Hash: 3cb3ab09f8e7b0299e6a6b7c106004b7df73c88a49e418dd358660d655df68c6
                                                                                                                                    • Instruction Fuzzy Hash: C91128B1D003498FDB10DFAAC445BDEFBF5EB88324F248429D559A7250C775A944CBE4
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1776549307.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_79a0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ResumeThread
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 947044025-0
                                                                                                                                    • Opcode ID: 154deff9a4ec2224f1be3496505a90305826b8eee3826086e6de2cfeddaf8b45
                                                                                                                                    • Instruction ID: 6adea0955899d9a77d20f4b9112bef58e720ac4ea373924255ea3bac5eaa3f67
                                                                                                                                    • Opcode Fuzzy Hash: 154deff9a4ec2224f1be3496505a90305826b8eee3826086e6de2cfeddaf8b45
                                                                                                                                    • Instruction Fuzzy Hash: 041128B1D003498FDB10DFAAC445BDEFBF5AB88324F208429D559A7250C775A544CBE4
                                                                                                                                    APIs
                                                                                                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 079AC9DD
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1776549307.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_79a0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessagePost
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 410705778-0
                                                                                                                                    • Opcode ID: 5ac695f1119b35eff69d752def93b4b3cbd349350347c9c9b9864546b9224716
                                                                                                                                    • Instruction ID: c010eac17893c12c49e1c8933ad904c723b4d5efc82a138914b8cd7c4380613f
                                                                                                                                    • Opcode Fuzzy Hash: 5ac695f1119b35eff69d752def93b4b3cbd349350347c9c9b9864546b9224716
                                                                                                                                    • Instruction Fuzzy Hash: 4011E0B58003499FCB10DF9AD445BDEBBF8EB49324F10841AE958A7210D375A944CFE5
                                                                                                                                    APIs
                                                                                                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 079AC9DD
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1776549307.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_79a0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessagePost
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 410705778-0
                                                                                                                                    • Opcode ID: 3f61508edab9ae0588c0d20469845c74802f662d1e85a0d4bd58770278f5b192
                                                                                                                                    • Instruction ID: 3d0a071b8e503019ac135a28f1b437b53acfd92e038e891c82f482199596fcad
                                                                                                                                    • Opcode Fuzzy Hash: 3f61508edab9ae0588c0d20469845c74802f662d1e85a0d4bd58770278f5b192
                                                                                                                                    • Instruction Fuzzy Hash: CF11F2B58003499FDB10DF9AC885BDEBBF8EB48324F24841AE958A7210D375A944CFA5
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0192F026
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1770313739.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_1920000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleModule
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                    • Opcode ID: f874c42ac0faf1158a673917e336194f3b8d466905067d437e3a2289c5ebe114
                                                                                                                                    • Instruction ID: 6a9a2b51b18e3ea795e518691d0d0f7536cd8e7f4f0aeb0fa2451114ec745d17
                                                                                                                                    • Opcode Fuzzy Hash: f874c42ac0faf1158a673917e336194f3b8d466905067d437e3a2289c5ebe114
                                                                                                                                    • Instruction Fuzzy Hash: B31110B6C003598FDB10CF9AC444ADEFBF8AF88320F10842AD818B7210C379A545CFA5
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1769936577.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_173d000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5db6f8dec66e7ada537a278c474dc853cc7aca98331f6b5157ceb01d061d7817
                                                                                                                                    • Instruction ID: 6162fea2586c11286cb89d0676d7b4c3c2ceff9893f6dae02dd32fa80c1d6032
                                                                                                                                    • Opcode Fuzzy Hash: 5db6f8dec66e7ada537a278c474dc853cc7aca98331f6b5157ceb01d061d7817
                                                                                                                                    • Instruction Fuzzy Hash: 2921F1B2500240DFDB25DF58D980B26FF65FBC8318F70C5A9E9090A297C336D456CAA1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1770008730.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_174d000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: b9f96eb9e7617f8a8397857283d8c879c280f9722ec4470f218b5d5a31e3a75f
                                                                                                                                    • Instruction ID: f0ea6e7d381e20cf83cfbd8003e4b0fe9d7abcf44efa2b3a77c1026c64d7a7c2
                                                                                                                                    • Opcode Fuzzy Hash: b9f96eb9e7617f8a8397857283d8c879c280f9722ec4470f218b5d5a31e3a75f
                                                                                                                                    • Instruction Fuzzy Hash: 9B212971608200DFDB15DF98D5C4B26FBA5FB94324F20C6ADE9894B356C336D446CA61
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1770008730.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_174d000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: a4b0db5519dd578bf57e4afa1ef590e5ff1f576aa476261fa107f3bb74507fa7
                                                                                                                                    • Instruction ID: 295e3d9d07176bf1a48e4bab82c00f939091afecc1d0b98b254aae8f1d4fb2de
                                                                                                                                    • Opcode Fuzzy Hash: a4b0db5519dd578bf57e4afa1ef590e5ff1f576aa476261fa107f3bb74507fa7
                                                                                                                                    • Instruction Fuzzy Hash: F1212271604200DFCB25DF98D9C4B26FFA5EB98314F20C5ADD88A4B266C33AD447CA61
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1769936577.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_173d000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                    • Instruction ID: df6268073da8789e53d8ce67a1043f0e9f4a09dde7e1c0a2964b3e0622369094
                                                                                                                                    • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                    • Instruction Fuzzy Hash: 9E11CD72504280CFCB12CF54D5C4B16BF62FB84218F24C6A9D8090B257C336D45ACBA1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1770008730.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_174d000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                    • Instruction ID: 798c691eb1598b438db1389a38650b52614df392b7124c3705b3babb305877dd
                                                                                                                                    • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                    • Instruction Fuzzy Hash: 4E11D075504280CFDB16CF54D5C4B15FF61FB44314F24C6AED8494B666C33AD40ACB61
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000A.00000002.1770008730.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_10_2_174d000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                    • Instruction ID: 011d33d17fa2089cf24dc02a4060d06541cd281c3725a179bce855231a52822e
                                                                                                                                    • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                    • Instruction Fuzzy Hash: A311BB75508280DFDB12CF54C5C4B15FFA1FB84224F24C6AAD8894B296C33AD40ACB61
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: N
                                                                                                                                    • API String ID: 0-1130791706
                                                                                                                                    • Opcode ID: 173a8155369798be6d5f0ec8158616592fb81f5b002968ce90c1155bdc4f699c
                                                                                                                                    • Instruction ID: a000136446c989f881fab4247aee906794d70c768349cb57962ff0cbc8a5ef69
                                                                                                                                    • Opcode Fuzzy Hash: 173a8155369798be6d5f0ec8158616592fb81f5b002968ce90c1155bdc4f699c
                                                                                                                                    • Instruction Fuzzy Hash: 1D73D631D10B5A8EDB11EF68C854A99FBB1FF99300F11D69AE44977221EB70AAC4CF41
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: cf6d53e5b0c1057802df05cbc36513bec91af52f211b7c401c920402195b6c64
                                                                                                                                    • Instruction ID: a347b722a5e6cd49e83b7a56f45f1d45a4f907da806b3e46970d9cd96711f221
                                                                                                                                    • Opcode Fuzzy Hash: cf6d53e5b0c1057802df05cbc36513bec91af52f211b7c401c920402195b6c64
                                                                                                                                    • Instruction Fuzzy Hash: 16C1A374E00218CFDB14DFA5D994B9DBBB2BF88304F2085A9D809AB365DB359E85CF10
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 0c8e13786ca512de17e948f06537f97547a7cd65b985f9154386544ad61517da
                                                                                                                                    • Instruction ID: b442c9a935a57c102c00d09db1f34e470820b08729765959739ef070b0ccee76
                                                                                                                                    • Opcode Fuzzy Hash: 0c8e13786ca512de17e948f06537f97547a7cd65b985f9154386544ad61517da
                                                                                                                                    • Instruction Fuzzy Hash: 96A11471D016198EDB24DFA9C8847DDFBB1FF89300F10D6AAE419A7260EB709A85CF41
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 7009802e7003afd94e158554a4e2942b37589c9ee655c17660c103682c1e99dc
                                                                                                                                    • Instruction ID: 0a835941d3c331a945145da93c90e78cfc906b46e81e1300f45a4d970eaf9b10
                                                                                                                                    • Opcode Fuzzy Hash: 7009802e7003afd94e158554a4e2942b37589c9ee655c17660c103682c1e99dc
                                                                                                                                    • Instruction Fuzzy Hash: C5A1F270D00218CFDB14DFA9C998BDDBBB1FF89304F249269E409AB2A1DB749985CF54
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 410615f40e5a17f3b022db8ceb1ae1ad13d4c4bfd6f0ea9fe73d741710bb4866
                                                                                                                                    • Instruction ID: 196bbf9f70ac8d6a27953b5fe452f6ff00ef7c71f479aa980381ac747fbb8c29
                                                                                                                                    • Opcode Fuzzy Hash: 410615f40e5a17f3b022db8ceb1ae1ad13d4c4bfd6f0ea9fe73d741710bb4866
                                                                                                                                    • Instruction Fuzzy Hash: 1EA1F370D00608CFDB14DFA9D598BDDBBB1FF89304F209269E409AB2A1DB749985CF54
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 6c17b69f2a5bd124deb5ddbe40d75403cfe1afe75de911d5a74fb3cd2c44e8ac
                                                                                                                                    • Instruction ID: 232481219717d0014684b7805182668f870c6932ad226ddda7aadfb03c9d9ca5
                                                                                                                                    • Opcode Fuzzy Hash: 6c17b69f2a5bd124deb5ddbe40d75403cfe1afe75de911d5a74fb3cd2c44e8ac
                                                                                                                                    • Instruction Fuzzy Hash: EF91F270D00218CFDB10DFA9C598BDCBBB1FF89314F209269E50AAB291DB749A85CF54
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: c9b9e26fbee6c73ec5dfff07b6f94df2ac6fb6ca5546678b5d5dc437735f7112
                                                                                                                                    • Instruction ID: c07f4972eef41187a77a085d4b18aa1b4f74c3d717755b72121de686c31da5a8
                                                                                                                                    • Opcode Fuzzy Hash: c9b9e26fbee6c73ec5dfff07b6f94df2ac6fb6ca5546678b5d5dc437735f7112
                                                                                                                                    • Instruction Fuzzy Hash: C041D575D01248CBDB18DFAAD85469EFBF2BF88304F24D12AD819BB258EB345945CF50
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 8cq$Hbq$Hbq$Hbq$TJcq
                                                                                                                                    • API String ID: 0-1895975235
                                                                                                                                    • Opcode ID: 2e07ba266fdc6df92cf06d056346b773b0997d5f3b412b737944f8ea3891f304
                                                                                                                                    • Instruction ID: 2678eb44e2b0e5e8bb4316282b801ae8935ea948ebb78cf59f1be587a495b325
                                                                                                                                    • Opcode Fuzzy Hash: 2e07ba266fdc6df92cf06d056346b773b0997d5f3b412b737944f8ea3891f304
                                                                                                                                    • Instruction Fuzzy Hash: 04D1C171B042048FCB14DB68C891AAEBBB6FFC9324F244569E506EB3A1CB35DD45CB91
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                                                                                                    • API String ID: 0-1487592376
                                                                                                                                    • Opcode ID: 08e29bd6f36407525b033f9c6b1f6d08639536b6ad8e20094066a657d7d7f78c
                                                                                                                                    • Instruction ID: 55033273e426b05a6c8b1d51f90f7f7ed5e6bee0ff4166df4dcd3d8f9ea7202d
                                                                                                                                    • Opcode Fuzzy Hash: 08e29bd6f36407525b033f9c6b1f6d08639536b6ad8e20094066a657d7d7f78c
                                                                                                                                    • Instruction Fuzzy Hash: EC51D574E00208DFCB58DFAAD584A9DBBF2BF89310F108569E816AB364DB34A941CF50
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Xbq$Xbq$Xbq$Xbq
                                                                                                                                    • API String ID: 0-2732225958
                                                                                                                                    • Opcode ID: d6b09a5fdccdf974e45fa9130c363bfdf341ed8ce504706bfb6106bd89e43ae6
                                                                                                                                    • Instruction ID: 9957e5f1ac94a38de9d5c33c957f62d4dab2c0403f8badb51c3ccc508d230de8
                                                                                                                                    • Opcode Fuzzy Hash: d6b09a5fdccdf974e45fa9130c363bfdf341ed8ce504706bfb6106bd89e43ae6
                                                                                                                                    • Instruction Fuzzy Hash: 2B421F236285C1ABD7634B3598E33D5BFFB9E83513BAC98EEC4C596823DA16041F8704
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: $Hbq$Hbq$Hbq
                                                                                                                                    • API String ID: 0-580995494
                                                                                                                                    • Opcode ID: 391627bfb08b571b80cb0068c4ceb9bc1d36e41aafb001e85774b4b50f1d617f
                                                                                                                                    • Instruction ID: b27d5ad9ac34f02be7f934a6659a296fae618802f4ff3038bc0ff25e9b4ca5d5
                                                                                                                                    • Opcode Fuzzy Hash: 391627bfb08b571b80cb0068c4ceb9bc1d36e41aafb001e85774b4b50f1d617f
                                                                                                                                    • Instruction Fuzzy Hash: 2D61AF30B402948FCF156F78986926E7FA6BFC9364F248629E5578B3D1CE349D02C791
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: $Hbq$Hbq$Hbq
                                                                                                                                    • API String ID: 0-580995494
                                                                                                                                    • Opcode ID: acc3a58bc7e0f94641140af5f221e956641db4018b10520072228a13363ee2e2
                                                                                                                                    • Instruction ID: ce405a623e3de75c0e17b723fae5f115ea80999c92f629f0259acf60d45a2fd4
                                                                                                                                    • Opcode Fuzzy Hash: acc3a58bc7e0f94641140af5f221e956641db4018b10520072228a13363ee2e2
                                                                                                                                    • Instruction Fuzzy Hash: EF81BD307002548BCF256F78986927E7BA6BFC5364F248629E9678B3D0CF359E06C791
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Xbq$Xbq
                                                                                                                                    • API String ID: 0-1243427068
                                                                                                                                    • Opcode ID: 2c00876a94d31de0b0480b0f4c4259ae07fb3012f1e973390d29eb8b4544dc0f
                                                                                                                                    • Instruction ID: fd98f639e4df343e28fd48dff90e515e0a3c32a615e288e65cb9881506624127
                                                                                                                                    • Opcode Fuzzy Hash: 2c00876a94d31de0b0480b0f4c4259ae07fb3012f1e973390d29eb8b4544dc0f
                                                                                                                                    • Instruction Fuzzy Hash: 6F31D831B406254BEF2C466A999437EA5AEBBC4255F14443ADE03D3394DF74CA44C392
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 8cq$TJcq
                                                                                                                                    • API String ID: 0-1920894394
                                                                                                                                    • Opcode ID: d0fbce3f97f284bd4cb03ebb03209f19820edc77cd4f931419635d783658a4d2
                                                                                                                                    • Instruction ID: c063cf2f9b9b8e68ec90b776be3a5bb15cc4343de7cc203e4f0469b375a803fb
                                                                                                                                    • Opcode Fuzzy Hash: d0fbce3f97f284bd4cb03ebb03209f19820edc77cd4f931419635d783658a4d2
                                                                                                                                    • Instruction Fuzzy Hash: C0310335B401098FCB44DFA8C590EADBBB2FF88324F195594E506AB365CA71ED85CB90
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 8cq$TJcq
                                                                                                                                    • API String ID: 0-1920894394
                                                                                                                                    • Opcode ID: 8f8a8254049450f915d658ba7601315e384bc2c865b589a17f52235deded330b
                                                                                                                                    • Instruction ID: aeb502c43d22bfff72c62a6835f9f275fa5e59f39c7921772bdb1aa0e15f3ad1
                                                                                                                                    • Opcode Fuzzy Hash: 8f8a8254049450f915d658ba7601315e384bc2c865b589a17f52235deded330b
                                                                                                                                    • Instruction Fuzzy Hash: 88311735B401098FCB44DFA8C990EADBBB2FF88324F155594E505AF365CA71ED85CB90
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: LR^q
                                                                                                                                    • API String ID: 0-2625958711
                                                                                                                                    • Opcode ID: 5656992ef5355cdad12e3f019bb0a14417963d8095d0a6ff2042b4bc90eb4220
                                                                                                                                    • Instruction ID: 6956d341bd46d3be7fde933c66823decb8307af7596a841396b5db6f41000095
                                                                                                                                    • Opcode Fuzzy Hash: 5656992ef5355cdad12e3f019bb0a14417963d8095d0a6ff2042b4bc90eb4220
                                                                                                                                    • Instruction Fuzzy Hash: 31A10D74E4021ACFCF05EFA9E99499EBBB2FF88344B105629D505AB369DB306D45CF80
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: LR^q
                                                                                                                                    • API String ID: 0-2625958711
                                                                                                                                    • Opcode ID: c9f2db8cb55e709e0715af522745ec1c476346e208af6b02edb9a3d5cf98678a
                                                                                                                                    • Instruction ID: 5ccaaf8e15837686cc9e996fc71ee140a01b1d45d1bc692a1f957e3d94dc574f
                                                                                                                                    • Opcode Fuzzy Hash: c9f2db8cb55e709e0715af522745ec1c476346e208af6b02edb9a3d5cf98678a
                                                                                                                                    • Instruction Fuzzy Hash: 3AA1FD74E4021ACFCF05EFA9E99499EBBB2FB88344F105629D505AB369DB306D45CF80
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Hbq
                                                                                                                                    • API String ID: 0-1245868
                                                                                                                                    • Opcode ID: 67f58b07ec33bbd6509a2424b84e483a510335a18715f9db87e45fa95b1b7970
                                                                                                                                    • Instruction ID: bb54efc8d0fc583c38dc480c02f4eddb7a8ce08aaab4ff2967516bbfc15750bf
                                                                                                                                    • Opcode Fuzzy Hash: 67f58b07ec33bbd6509a2424b84e483a510335a18715f9db87e45fa95b1b7970
                                                                                                                                    • Instruction Fuzzy Hash: D141F531B042499FCB04ABB9D85566E7FBAFF89340F148479E50ADB391DE349D02CBA0
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Hbq
                                                                                                                                    • API String ID: 0-1245868
                                                                                                                                    • Opcode ID: 7eaaefea424c95b4d3f8e295554d5ca2c87a75676ea87a3fe11dd15553c14b8a
                                                                                                                                    • Instruction ID: 1f0441b4d93344f0dfe904a9eb5b375bea6ba2f52c4f52c6654e854fb605c8e6
                                                                                                                                    • Opcode Fuzzy Hash: 7eaaefea424c95b4d3f8e295554d5ca2c87a75676ea87a3fe11dd15553c14b8a
                                                                                                                                    • Instruction Fuzzy Hash: 6D21B1347002459FCB04EF79C895A6EBBB6FF88300F648069E6068B365CF319E16CB90
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 602cee05650217638c05524b79b814ce807231ba5f7d585ee1a951be3b8ae7aa
                                                                                                                                    • Instruction ID: 1f54ded719b33ab4aebfd30dbf36e7d240382087427defdc8f47b9a8e080a4c7
                                                                                                                                    • Opcode Fuzzy Hash: 602cee05650217638c05524b79b814ce807231ba5f7d585ee1a951be3b8ae7aa
                                                                                                                                    • Instruction Fuzzy Hash: A461C576B002059FCB149A7DD894AAABBB5FFC8324B14853AE51AD7740D731DA0187A0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 6539c8d7d50865d9da5135e6ecad546f3e6b61d3f5db12b2ae651f1b2360af15
                                                                                                                                    • Instruction ID: f3ea8197604f45edf0aed132a67139d87645b23ac286eb3055f4b57feec12382
                                                                                                                                    • Opcode Fuzzy Hash: 6539c8d7d50865d9da5135e6ecad546f3e6b61d3f5db12b2ae651f1b2360af15
                                                                                                                                    • Instruction Fuzzy Hash: 9E41A374E01248DFCB08DFAAD88499EBBB2BF89300F149569E805BB364DB34A941CF54
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 20a39bdb26aeb94c86ed43a2b4a4781a0882765b335d10038d9ece11d740fb3f
                                                                                                                                    • Instruction ID: 17b6386d46d92063beba4d106fc294ddf8dc2a36b588fecc49dd3f5075cf6dbb
                                                                                                                                    • Opcode Fuzzy Hash: 20a39bdb26aeb94c86ed43a2b4a4781a0882765b335d10038d9ece11d740fb3f
                                                                                                                                    • Instruction Fuzzy Hash: 7631CB3503228A8FC6462B25A5BE27AFFA8FB4F363F04ED18F00ACA5059F3040558E65
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 6d539473524463847d2354af58fefc3c634ec9d5f866c03e5245b64efd6d1984
                                                                                                                                    • Instruction ID: 23cbabd6e627f7256a94a645d5f60408c71c66bf695b152b8b749a99fc30b9c8
                                                                                                                                    • Opcode Fuzzy Hash: 6d539473524463847d2354af58fefc3c634ec9d5f866c03e5245b64efd6d1984
                                                                                                                                    • Instruction Fuzzy Hash: BF219D75A001169FCF24DF24C4409AE37A5EBD9664B148519E95E9B240EB34EE06CBD2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2932606908.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_129d000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 229461ac36fd0b12419713f9fe58a6c3c334345d127694acec2ced1db541cc48
                                                                                                                                    • Instruction ID: 33eb92883958cce00ba6d7d4cda5e9a3db6f6548d3183c57a5918d6787f4c57c
                                                                                                                                    • Opcode Fuzzy Hash: 229461ac36fd0b12419713f9fe58a6c3c334345d127694acec2ced1db541cc48
                                                                                                                                    • Instruction Fuzzy Hash: EE212271514208DFDF11DF9CD9C0B26BBA5FB84314F20C56DD9094B256C37BD446DA62
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 78f65fde0f75d4d1c5a58a6c0262853c1ddb116d9956619b176a693aaaba4eb7
                                                                                                                                    • Instruction ID: b0897543c6040a946b620c25a8aa63065b14279b57f77e789bc8560e50e5787a
                                                                                                                                    • Opcode Fuzzy Hash: 78f65fde0f75d4d1c5a58a6c0262853c1ddb116d9956619b176a693aaaba4eb7
                                                                                                                                    • Instruction Fuzzy Hash: 2A215C74E042499FCF05EFBAC4506AEBBB2FF85308F0085A99406AB294DBB59945CF91
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 164df03982c5c55f727f8f7c2c21dadb7565a7d1d88ef0cb5afcbe48e8018eaf
                                                                                                                                    • Instruction ID: e3c31035ed7d5c3d2e40c6e305ef4a4df9181e21f4f4897840e28da2a5cde39d
                                                                                                                                    • Opcode Fuzzy Hash: 164df03982c5c55f727f8f7c2c21dadb7565a7d1d88ef0cb5afcbe48e8018eaf
                                                                                                                                    • Instruction Fuzzy Hash: 12216670D442098FCB01EFB9D8455EEBFF0FF0A200F1552AAD40AB7251EB305A99CBA1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: e085eba11b14120e1260960feca4d0f2b8d31773124ae1028afbb05395257816
                                                                                                                                    • Instruction ID: 1d8c668d57a3a6844712cd0d1eeb49c0c5c2ec59dcc60d9bf8c40e1fd11957b1
                                                                                                                                    • Opcode Fuzzy Hash: e085eba11b14120e1260960feca4d0f2b8d31773124ae1028afbb05395257816
                                                                                                                                    • Instruction Fuzzy Hash: 05114C767002048FCB14DB69D998E66B7E6FFC8725B148469E14ACB364CB71ED04CB50
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 3092cd20ef761b38b5ff7635b18ef4eef1f0b9eec88b602af75b0ba879074eaa
                                                                                                                                    • Instruction ID: 4397c207a4a0f722315c935cb2008638250a1e5ed9d4b457dccfb5c7b8c71d4a
                                                                                                                                    • Opcode Fuzzy Hash: 3092cd20ef761b38b5ff7635b18ef4eef1f0b9eec88b602af75b0ba879074eaa
                                                                                                                                    • Instruction Fuzzy Hash: 3001B136F402511FDB28ABB6885872B77EAAFC4219715883DD90AC7354FE30D8068792
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2932606908.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_129d000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                    • Instruction ID: 45aebc967d627419c09fbf36d24881c04751cff3d3889f4e42d5e4d7e1b93223
                                                                                                                                    • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                    • Instruction Fuzzy Hash: BE11EB75504284CFCB12CF58C5C4B15BFA1FB84314F28C6AAD9094B252C33AD40ACB62
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 9bfe025a68a272290159f9dd1146bfc6bf32cf585f70f01655619dc453ca2ddf
                                                                                                                                    • Instruction ID: 437433d39e3c11a060f603da50a5982c50cee0c5beeaa42c0ce16e218ecc6fae
                                                                                                                                    • Opcode Fuzzy Hash: 9bfe025a68a272290159f9dd1146bfc6bf32cf585f70f01655619dc453ca2ddf
                                                                                                                                    • Instruction Fuzzy Hash: A81157357002118FDB14DB2AD998B66B7E5FF88B28F14856DE14A8B364CB71ED04CB50
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: be6607f8e23d24fac15a4654cd2f58463ce06c26040673f6692e7a68f01a6572
                                                                                                                                    • Instruction ID: cb7ea38e2d70b70b5992e140a2abad9ecd7c69e997810ae66ea1a5df4770eee7
                                                                                                                                    • Opcode Fuzzy Hash: be6607f8e23d24fac15a4654cd2f58463ce06c26040673f6692e7a68f01a6572
                                                                                                                                    • Instruction Fuzzy Hash: 11018F36B002515BDB38AA7A885862F76EBAFC4528714883DD90AC7314FE70C8068792
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: e9b265556a4085bd509ad4533e470dd26db719ae3ab13fd2ec372905a06dec06
                                                                                                                                    • Instruction ID: ab201855147f9409f1fbb005b9d6c3aacac96ba70621bc821b665f031f67c757
                                                                                                                                    • Opcode Fuzzy Hash: e9b265556a4085bd509ad4533e470dd26db719ae3ab13fd2ec372905a06dec06
                                                                                                                                    • Instruction Fuzzy Hash: 31014C75A102199FCF149F69E8595AEBFB9EB88350F00842AF95AD7241DF348D10CBA1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 3dfcebe528c6458d0810cfe2cddc67e349565722420e35df8a50fedfd524eca8
                                                                                                                                    • Instruction ID: 0566a388eaa5ec445645562bcc0b4ad5b6092121a7bbb5fe60af016d48b91772
                                                                                                                                    • Opcode Fuzzy Hash: 3dfcebe528c6458d0810cfe2cddc67e349565722420e35df8a50fedfd524eca8
                                                                                                                                    • Instruction Fuzzy Hash: 00017571E005199FCF14DF68E8555AE7FB5FB84310B00813AF959D7240DB308911CF51
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5e6959992c33783782bb9dc4bcdb6b97b8a6a97adb83f31f1774845c3445f656
                                                                                                                                    • Instruction ID: ca146a393e855982c398c62e66619997d0c78fad628a365a8a67db0428083f10
                                                                                                                                    • Opcode Fuzzy Hash: 5e6959992c33783782bb9dc4bcdb6b97b8a6a97adb83f31f1774845c3445f656
                                                                                                                                    • Instruction Fuzzy Hash: 72F0F6367002549BCB052AB8D80A56D7F9EEBC9711F14842EF60BCB381DE76CD46C791
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: eaf8a7a30b7d689b25fbe15784304b5e732f45e9475a94f0e82626c962db8251
                                                                                                                                    • Instruction ID: 42d21560ed037ea331891a2509a1a9f13e607cb1e7b35c6ba135fc457af6323f
                                                                                                                                    • Opcode Fuzzy Hash: eaf8a7a30b7d689b25fbe15784304b5e732f45e9475a94f0e82626c962db8251
                                                                                                                                    • Instruction Fuzzy Hash: 7CF0A032B006159BCF1A576AE81496EB7AEEFC5635B14407BE50AEB350DF32DD028B90
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: b9c4ae5537ff659b676bf545ba820c3ef3c0854bf093659c9d98ca610f780c4e
                                                                                                                                    • Instruction ID: d8ca302e2254aa80c088a2cd01ebee52a0ba5949911491ca4b82e1a382685bc2
                                                                                                                                    • Opcode Fuzzy Hash: b9c4ae5537ff659b676bf545ba820c3ef3c0854bf093659c9d98ca610f780c4e
                                                                                                                                    • Instruction Fuzzy Hash: 14F0BB76A04209AF8B50DF6ED8419DFFBF5FF88254B444536E509D3201D770A911CBE1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: b1a86fca0525d80cb742be5331093e86c06ea6e00cc2df73727d06c6ec88cae1
                                                                                                                                    • Instruction ID: ff2b182b899a9f990a72f1c864bfed6c819bec1bd85cd66c51e2b012441e19ba
                                                                                                                                    • Opcode Fuzzy Hash: b1a86fca0525d80cb742be5331093e86c06ea6e00cc2df73727d06c6ec88cae1
                                                                                                                                    • Instruction Fuzzy Hash: FEF08272A002089F8B50DFAED8409AFFBF6FB88250B00453AD509D3210E670A915CBE1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 14f366559a24564ef522dbf6a353d531a645319612ce68406e952d06e9fb53b6
                                                                                                                                    • Instruction ID: f194c2981d3a02b57960a97cfcdfed10c52cb97780286a06e96f01426e0b016d
                                                                                                                                    • Opcode Fuzzy Hash: 14f366559a24564ef522dbf6a353d531a645319612ce68406e952d06e9fb53b6
                                                                                                                                    • Instruction Fuzzy Hash: 23E0C2716617028FD7322F29F8AC32A7B64FF0B317F442C46A00AC001ADF704154CB44
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 00df9049d3949c7fd49cf0e1046f1157a1bf9eeab1473bb7d972a472b28b9756
                                                                                                                                    • Instruction ID: 334b545a1bd04337bf94f4a262225a30da33abe87b522baf8aacb2b2b3256001
                                                                                                                                    • Opcode Fuzzy Hash: 00df9049d3949c7fd49cf0e1046f1157a1bf9eeab1473bb7d972a472b28b9756
                                                                                                                                    • Instruction Fuzzy Hash: 8FE0223191435B5ACB05AFA0AC004EEBB34ED92600B9602B7D16A7B040FB70291AC7A6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 72bea5ac0d33a1af6393dee5b714a6b6656396871ec3c0256020098d7464481e
                                                                                                                                    • Instruction ID: 731ccc883fde4870070db053b227e91f792fc08915e761670e1e1923582469cd
                                                                                                                                    • Opcode Fuzzy Hash: 72bea5ac0d33a1af6393dee5b714a6b6656396871ec3c0256020098d7464481e
                                                                                                                                    • Instruction Fuzzy Hash: 24E099702627028FD3322B69F5AC23A7A65FB0B317B802D06A10EC002ACF7004448B94
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 2636a6c436ef5004c00b1cb26df0886996a2ebd26739d12463ea28ff43f07ff2
                                                                                                                                    • Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
                                                                                                                                    • Opcode Fuzzy Hash: 2636a6c436ef5004c00b1cb26df0886996a2ebd26739d12463ea28ff43f07ff2
                                                                                                                                    • Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 633aa724eef745924665b40c18414654276119e9bb703a348dd6691c95c63acb
                                                                                                                                    • Instruction ID: deb7dffed625967408b04637df697b382aa02173bb8523665f76eb9e4d88d166
                                                                                                                                    • Opcode Fuzzy Hash: 633aa724eef745924665b40c18414654276119e9bb703a348dd6691c95c63acb
                                                                                                                                    • Instruction Fuzzy Hash: 7FB0926698079842DE351220C52B3A67B50EB61209F490CADA88380188E9188044C600
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 0000000E.00000002.2933296590.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_14_2_2ce0000_qIDGekPXala.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Xbq$Xbq$Xbq$Xbq
                                                                                                                                    • API String ID: 0-2732225958
                                                                                                                                    • Opcode ID: 5fe8c68b5c4b823511195042d7f9cb9fba2c878e527ed645e266681d45c3f52f
                                                                                                                                    • Instruction ID: 91e0e2aca0e958abeb0d67c582d9f2751c89e8cbfbbd32c37983ac86aeba76d4
                                                                                                                                    • Opcode Fuzzy Hash: 5fe8c68b5c4b823511195042d7f9cb9fba2c878e527ed645e266681d45c3f52f
                                                                                                                                    • Instruction Fuzzy Hash: FE317570E442198BDF64CF69854037EB6F6ABC4310F1841B9C55FA7254EBB0CE90CBA2