Edit tour

Windows Analysis Report
Order_List.scr.exe

Overview

General Information

Sample name:	Order_List.scr.exe
Analysis ID:	1586804
MD5:	78a62a23291a3c7907e947bc9f270e09
SHA1:	a28a2db1cacca688a66a00ecd840aedeaef484d4
SHA256:	3652dcdb4eaff1a11ff293eedb80363e024bda7a33f1e1c17b082dfd4cea5a86
Tags:	exeuser-lowmal3
Infos:

Detection

PureLog Stealer, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Snake Keylogger

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Order_List.scr.exe (PID: 1548 cmdline: "C:\Users\user\Desktop\Order_List.scr.exe" MD5: 78A62A23291A3C7907E947BC9F270E09)

powershell.exe (PID: 5960 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_List.scr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 1408 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 5944 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5696 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTlLqTRGrXZr" /XML "C:\Users\user\AppData\Local\Temp\tmp5251.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Order_List.scr.exe (PID: 5900 cmdline: "C:\Users\user\Desktop\Order_List.scr.exe" MD5: 78A62A23291A3C7907E947BC9F270E09)

FTlLqTRGrXZr.exe (PID: 6320 cmdline: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe MD5: 78A62A23291A3C7907E947BC9F270E09)

schtasks.exe (PID: 7292 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTlLqTRGrXZr" /XML "C:\Users\user\AppData\Local\Temp\tmp6FCC.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

FTlLqTRGrXZr.exe (PID: 7344 cmdline: "C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe" MD5: 78A62A23291A3C7907E947BC9F270E09)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7888110857:AAH_lE30nomQfyzYUPPXbGWeGI9ffBUijsQ/sendMessage?chat_id=7222025033", "Token": "7888110857:AAH_lE30nomQfyzYUPPXbGWeGI9ffBUijsQ", "Chat_id": "7222025033", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2209588956.0000000005D20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000002.4607215864.0000000002D8F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.4604593123.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.4604593123.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.4604593123.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x148c4:$a1: get_encryptedPassword 0x14bb0:$a2: get_encryptedUsername 0x146d0:$a3: get_timePasswordChanged 0x147cb:$a4: get_passwordField 0x148da:$a5: set_encryptedPassword 0x15fe7:$a7: get_logins 0x15f4a:$a10: KeyLoggerEventArgs 0x15bb5:$a11: KeyLoggerEventArgsEventHandler
00000009.00000002.4604593123.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19894:$x1: $%SMTPDV$ 0x18278:$x2: $#TheHashHere%& 0x1983c:$x3: %FTPDV$ 0x18218:$x4: $%TelegramDv$ 0x15bb5:$x5: KeyLoggerEventArgs 0x15f4a:$x5: KeyLoggerEventArgs 0x19860:$m2: Clipboard Logs ID 0x19a9e:$m2: Screenshot Logs ID 0x19bae:$m2: keystroke Logs ID 0x19e88:$m3: SnakePW 0x19a76:$m4: \SnakeKeylogger\
00000009.00000002.4607797930.00000000033AC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2207129697.0000000004349000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2207129697.0000000004349000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2207129697.0000000004349000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x15434:$a1: get_encryptedPassword 0x35e54:$a1: get_encryptedPassword 0x56674:$a1: get_encryptedPassword 0x15720:$a2: get_encryptedUsername 0x36140:$a2: get_encryptedUsername 0x56960:$a2: get_encryptedUsername 0x15240:$a3: get_timePasswordChanged 0x35c60:$a3: get_timePasswordChanged 0x56480:$a3: get_timePasswordChanged 0x1533b:$a4: get_passwordField 0x35d5b:$a4: get_passwordField 0x5657b:$a4: get_passwordField 0x1544a:$a5: set_encryptedPassword 0x35e6a:$a5: set_encryptedPassword 0x5668a:$a5: set_encryptedPassword 0x16b57:$a7: get_logins 0x37577:$a7: get_logins 0x57d97:$a7: get_logins 0x16aba:$a10: KeyLoggerEventArgs 0x374da:$a10: KeyLoggerEventArgs 0x57cfa:$a10: KeyLoggerEventArgs
00000000.00000002.2207129697.0000000004349000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1a404:$x1: $%SMTPDV$ 0x3ae24:$x1: $%SMTPDV$ 0x5b644:$x1: $%SMTPDV$ 0x18de8:$x2: $#TheHashHere%& 0x39808:$x2: $#TheHashHere%& 0x5a028:$x2: $#TheHashHere%& 0x1a3ac:$x3: %FTPDV$ 0x3adcc:$x3: %FTPDV$ 0x5b5ec:$x3: %FTPDV$ 0x18d88:$x4: $%TelegramDv$ 0x397a8:$x4: $%TelegramDv$ 0x59fc8:$x4: $%TelegramDv$ 0x16725:$x5: KeyLoggerEventArgs 0x16aba:$x5: KeyLoggerEventArgs 0x37145:$x5: KeyLoggerEventArgs 0x374da:$x5: KeyLoggerEventArgs 0x57965:$x5: KeyLoggerEventArgs 0x57cfa:$x5: KeyLoggerEventArgs 0x1a3d0:$m2: Clipboard Logs ID 0x1a60e:$m2: Screenshot Logs ID 0x1a71e:$m2: keystroke Logs ID
0000000E.00000002.4607215864.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.4607797930.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Order_List.scr.exe PID: 1548	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Order_List.scr.exe PID: 1548	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Order_List.scr.exe PID: 1548	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Order_List.scr.exe PID: 1548	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7901e:$a1: get_encryptedPassword 0x79300:$a2: get_encryptedUsername 0x78e34:$a3: get_timePasswordChanged 0x78f2f:$a4: get_passwordField 0x79034:$a5: set_encryptedPassword 0x7b514:$a7: get_logins 0x7b477:$a10: KeyLoggerEventArgs 0x7b0e2:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Order_List.scr.exe PID: 1548	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x7b0e2:$x5: KeyLoggerEventArgs 0x7b477:$x5: KeyLoggerEventArgs 0x7ba44:$x5: KeyLoggerEventArgs 0x7bda5:$x5: KeyLoggerEventArgs 0x7d6a5:$m2: Clipboard Logs ID 0x7d7ab:$m2: Screenshot Logs ID 0x7d801:$m2: keystroke Logs ID 0x7d936:$m3: SnakePW 0x7d797:$m4: \SnakeKeylogger\
Process Memory Space: Order_List.scr.exe PID: 5900	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Order_List.scr.exe PID: 5900	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Order_List.scr.exe PID: 5900	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c547:$a1: get_encryptedPassword 0x1c829:$a2: get_encryptedUsername 0x1c35d:$a3: get_timePasswordChanged 0x1c458:$a4: get_passwordField 0x1c55d:$a5: set_encryptedPassword 0x1ea3d:$a7: get_logins 0x1e9a0:$a10: KeyLoggerEventArgs 0x1e60b:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Order_List.scr.exe PID: 5900	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1e60b:$x5: KeyLoggerEventArgs 0x1e9a0:$x5: KeyLoggerEventArgs 0x1ef6d:$x5: KeyLoggerEventArgs 0x1f2ce:$x5: KeyLoggerEventArgs 0x20bce:$m2: Clipboard Logs ID 0x20cd4:$m2: Screenshot Logs ID 0x20d2a:$m2: keystroke Logs ID 0x20e5f:$m3: SnakePW 0x20cc0:$m4: \SnakeKeylogger\
Process Memory Space: FTlLqTRGrXZr.exe PID: 7344	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FTlLqTRGrXZr.exe PID: 7344	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Order_List.scr.exe.5d20000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Order_List.scr.exe.5d20000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Order_List.scr.exe.4349970.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Order_List.scr.exe.4349970.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Order_List.scr.exe.4349970.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cc4:$a1: get_encryptedPassword 0x12fb0:$a2: get_encryptedUsername 0x12ad0:$a3: get_timePasswordChanged 0x12bcb:$a4: get_passwordField 0x12cda:$a5: set_encryptedPassword 0x143e7:$a7: get_logins 0x1434a:$a10: KeyLoggerEventArgs 0x13fb5:$a11: KeyLoggerEventArgsEventHandler
0.2.Order_List.scr.exe.4349970.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a64a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1987c:$a3: \Google\Chrome\User Data\Default\Login Data 0x19caf:$a4: \Orbitum\User Data\Default\Login Data 0x1acee:$a5: \Kometa\User Data\Default\Login Data
0.2.Order_List.scr.exe.4349970.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13907:$s1: UnHook 0x1390e:$s2: SetHook 0x13916:$s3: CallNextHook 0x13923:$s4: _hook
0.2.Order_List.scr.exe.4349970.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c94:$x1: $%SMTPDV$ 0x16678:$x2: $#TheHashHere%& 0x17c3c:$x3: %FTPDV$ 0x16618:$x4: $%TelegramDv$ 0x13fb5:$x5: KeyLoggerEventArgs 0x1434a:$x5: KeyLoggerEventArgs 0x17c60:$m2: Clipboard Logs ID 0x17e9e:$m2: Screenshot Logs ID 0x17fae:$m2: keystroke Logs ID 0x18288:$m3: SnakePW 0x17e76:$m4: \SnakeKeylogger\
0.2.Order_List.scr.exe.436a390.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Order_List.scr.exe.436a390.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Order_List.scr.exe.436a390.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cc4:$a1: get_encryptedPassword 0x12fb0:$a2: get_encryptedUsername 0x12ad0:$a3: get_timePasswordChanged 0x12bcb:$a4: get_passwordField 0x12cda:$a5: set_encryptedPassword 0x143e7:$a7: get_logins 0x1434a:$a10: KeyLoggerEventArgs 0x13fb5:$a11: KeyLoggerEventArgsEventHandler
0.2.Order_List.scr.exe.436a390.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a64a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1987c:$a3: \Google\Chrome\User Data\Default\Login Data 0x19caf:$a4: \Orbitum\User Data\Default\Login Data 0x1acee:$a5: \Kometa\User Data\Default\Login Data
0.2.Order_List.scr.exe.436a390.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13907:$s1: UnHook 0x1390e:$s2: SetHook 0x13916:$s3: CallNextHook 0x13923:$s4: _hook
0.2.Order_List.scr.exe.436a390.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c94:$x1: $%SMTPDV$ 0x16678:$x2: $#TheHashHere%& 0x17c3c:$x3: %FTPDV$ 0x16618:$x4: $%TelegramDv$ 0x13fb5:$x5: KeyLoggerEventArgs 0x1434a:$x5: KeyLoggerEventArgs 0x17c60:$m2: Clipboard Logs ID 0x17e9e:$m2: Screenshot Logs ID 0x17fae:$m2: keystroke Logs ID 0x18288:$m3: SnakePW 0x17e76:$m4: \SnakeKeylogger\
0.2.Order_List.scr.exe.436a390.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Order_List.scr.exe.436a390.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Order_List.scr.exe.436a390.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Order_List.scr.exe.436a390.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ac4:$a1: get_encryptedPassword 0x352e4:$a1: get_encryptedPassword 0x14db0:$a2: get_encryptedUsername 0x355d0:$a2: get_encryptedUsername 0x148d0:$a3: get_timePasswordChanged 0x350f0:$a3: get_timePasswordChanged 0x149cb:$a4: get_passwordField 0x351eb:$a4: get_passwordField 0x14ada:$a5: set_encryptedPassword 0x352fa:$a5: set_encryptedPassword 0x161e7:$a7: get_logins 0x36a07:$a7: get_logins 0x1614a:$a10: KeyLoggerEventArgs 0x3696a:$a10: KeyLoggerEventArgs 0x15db5:$a11: KeyLoggerEventArgsEventHandler 0x365d5:$a11: KeyLoggerEventArgsEventHandler
0.2.Order_List.scr.exe.436a390.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c44a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cc6a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b67c:$a3: \Google\Chrome\User Data\Default\Login Data 0x3be9c:$a3: \Google\Chrome\User Data\Default\Login Data 0x1baaf:$a4: \Orbitum\User Data\Default\Login Data 0x3c2cf:$a4: \Orbitum\User Data\Default\Login Data 0x1caee:$a5: \Kometa\User Data\Default\Login Data 0x3d30e:$a5: \Kometa\User Data\Default\Login Data
0.2.Order_List.scr.exe.436a390.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15707:$s1: UnHook 0x35f27:$s1: UnHook 0x1570e:$s2: SetHook 0x35f2e:$s2: SetHook 0x15716:$s3: CallNextHook 0x35f36:$s3: CallNextHook 0x15723:$s4: _hook 0x35f43:$s4: _hook
0.2.Order_List.scr.exe.436a390.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a94:$x1: $%SMTPDV$ 0x3a2b4:$x1: $%SMTPDV$ 0x18478:$x2: $#TheHashHere%& 0x38c98:$x2: $#TheHashHere%& 0x19a3c:$x3: %FTPDV$ 0x3a25c:$x3: %FTPDV$ 0x18418:$x4: $%TelegramDv$ 0x38c38:$x4: $%TelegramDv$ 0x15db5:$x5: KeyLoggerEventArgs 0x1614a:$x5: KeyLoggerEventArgs 0x365d5:$x5: KeyLoggerEventArgs 0x3696a:$x5: KeyLoggerEventArgs 0x19a60:$m2: Clipboard Logs ID 0x19c9e:$m2: Screenshot Logs ID 0x19dae:$m2: keystroke Logs ID 0x3a280:$m2: Clipboard Logs ID 0x3a4be:$m2: Screenshot Logs ID 0x3a5ce:$m2: keystroke Logs ID 0x1a088:$m3: SnakePW 0x3a8a8:$m3: SnakePW 0x19c76:$m4: \SnakeKeylogger\
0.2.Order_List.scr.exe.4349970.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Order_List.scr.exe.4349970.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Order_List.scr.exe.4349970.0.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Order_List.scr.exe.4349970.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ac4:$a1: get_encryptedPassword 0x354e4:$a1: get_encryptedPassword 0x55d04:$a1: get_encryptedPassword 0x14db0:$a2: get_encryptedUsername 0x357d0:$a2: get_encryptedUsername 0x55ff0:$a2: get_encryptedUsername 0x148d0:$a3: get_timePasswordChanged 0x352f0:$a3: get_timePasswordChanged 0x55b10:$a3: get_timePasswordChanged 0x149cb:$a4: get_passwordField 0x353eb:$a4: get_passwordField 0x55c0b:$a4: get_passwordField 0x14ada:$a5: set_encryptedPassword 0x354fa:$a5: set_encryptedPassword 0x55d1a:$a5: set_encryptedPassword 0x161e7:$a7: get_logins 0x36c07:$a7: get_logins 0x57427:$a7: get_logins 0x1614a:$a10: KeyLoggerEventArgs 0x36b6a:$a10: KeyLoggerEventArgs 0x5738a:$a10: KeyLoggerEventArgs
0.2.Order_List.scr.exe.4349970.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c44a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce6a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d68a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b67c:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c09c:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c8bc:$a3: \Google\Chrome\User Data\Default\Login Data 0x1baaf:$a4: \Orbitum\User Data\Default\Login Data 0x3c4cf:$a4: \Orbitum\User Data\Default\Login Data 0x5ccef:$a4: \Orbitum\User Data\Default\Login Data 0x1caee:$a5: \Kometa\User Data\Default\Login Data 0x3d50e:$a5: \Kometa\User Data\Default\Login Data 0x5dd2e:$a5: \Kometa\User Data\Default\Login Data
0.2.Order_List.scr.exe.4349970.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15707:$s1: UnHook 0x36127:$s1: UnHook 0x56947:$s1: UnHook 0x1570e:$s2: SetHook 0x3612e:$s2: SetHook 0x5694e:$s2: SetHook 0x15716:$s3: CallNextHook 0x36136:$s3: CallNextHook 0x56956:$s3: CallNextHook 0x15723:$s4: _hook 0x36143:$s4: _hook 0x56963:$s4: _hook
0.2.Order_List.scr.exe.4349970.0.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a94:$x1: $%SMTPDV$ 0x3a4b4:$x1: $%SMTPDV$ 0x5acd4:$x1: $%SMTPDV$ 0x18478:$x2: $#TheHashHere%& 0x38e98:$x2: $#TheHashHere%& 0x596b8:$x2: $#TheHashHere%& 0x19a3c:$x3: %FTPDV$ 0x3a45c:$x3: %FTPDV$ 0x5ac7c:$x3: %FTPDV$ 0x18418:$x4: $%TelegramDv$ 0x38e38:$x4: $%TelegramDv$ 0x59658:$x4: $%TelegramDv$ 0x15db5:$x5: KeyLoggerEventArgs 0x1614a:$x5: KeyLoggerEventArgs 0x367d5:$x5: KeyLoggerEventArgs 0x36b6a:$x5: KeyLoggerEventArgs 0x56ff5:$x5: KeyLoggerEventArgs 0x5738a:$x5: KeyLoggerEventArgs 0x19a60:$m2: Clipboard Logs ID 0x19c9e:$m2: Screenshot Logs ID 0x19dae:$m2: keystroke Logs ID
Click to see the 23 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_List.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_List.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Order_List.scr.exe", ParentImage: C:\Users\user\Desktop\Order_List.scr.exe, ParentProcessId: 1548, ParentProcessName: Order_List.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_List.scr.exe", ProcessId: 5960, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTlLqTRGrXZr" /XML "C:\Users\user\AppData\Local\Temp\tmp6FCC.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTlLqTRGrXZr" /XML "C:\Users\user\AppData\Local\Temp\tmp6FCC.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe, ParentImage: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe, ParentProcessId: 6320, ParentProcessName: FTlLqTRGrXZr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTlLqTRGrXZr" /XML "C:\Users\user\AppData\Local\Temp\tmp6FCC.tmp", ProcessId: 7292, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTlLqTRGrXZr" /XML "C:\Users\user\AppData\Local\Temp\tmp5251.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTlLqTRGrXZr" /XML "C:\Users\user\AppData\Local\Temp\tmp5251.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Order_List.scr.exe", ParentImage: C:\Users\user\Desktop\Order_List.scr.exe, ParentProcessId: 1548, ParentProcessName: Order_List.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTlLqTRGrXZr" /XML "C:\Users\user\AppData\Local\Temp\tmp5251.tmp", ProcessId: 5696, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_List.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_List.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Order_List.scr.exe", ParentImage: C:\Users\user\Desktop\Order_List.scr.exe, ParentProcessId: 1548, ParentProcessName: Order_List.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_List.scr.exe", ProcessId: 5960, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTlLqTRGrXZr" /XML "C:\Users\user\AppData\Local\Temp\tmp5251.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTlLqTRGrXZr" /XML "C:\Users\user\AppData\Local\Temp\tmp5251.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Order_List.scr.exe", ParentImage: C:\Users\user\Desktop\Order_List.scr.exe, ParentProcessId: 1548, ParentProcessName: Order_List.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTlLqTRGrXZr" /XML "C:\Users\user\AppData\Local\Temp\tmp5251.tmp", ProcessId: 5696, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T16:39:07.278025+0100	2803305	3	Unknown Traffic	192.168.2.6	49730	104.21.64.1	443	TCP
2025-01-09T16:39:08.783110+0100	2803305	3	Unknown Traffic	192.168.2.6	49737	104.21.64.1	443	TCP
2025-01-09T16:39:11.835557+0100	2803305	3	Unknown Traffic	192.168.2.6	49762	104.21.64.1	443	TCP
2025-01-09T16:39:13.260564+0100	2803305	3	Unknown Traffic	192.168.2.6	49775	104.21.64.1	443	TCP
2025-01-09T16:39:14.249800+0100	2803305	3	Unknown Traffic	192.168.2.6	49783	104.21.64.1	443	TCP
2025-01-09T16:39:14.669333+0100	2803305	3	Unknown Traffic	192.168.2.6	49789	104.21.64.1	443	TCP
2025-01-09T16:39:16.895405+0100	2803305	3	Unknown Traffic	192.168.2.6	49802	104.21.64.1	443	TCP
2025-01-09T16:39:19.396707+0100	2803305	3	Unknown Traffic	192.168.2.6	49813	104.21.64.1	443	TCP
2025-01-09T16:39:24.383897+0100	2803305	3	Unknown Traffic	192.168.2.6	49846	104.21.64.1	443	TCP
2025-01-09T16:39:26.004692+0100	2803305	3	Unknown Traffic	192.168.2.6	49858	104.21.64.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T16:39:05.437709+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49716	132.226.8.169	80	TCP
2025-01-09T16:39:06.812648+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49716	132.226.8.169	80	TCP
2025-01-09T16:39:08.140840+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49731	132.226.8.169	80	TCP
2025-01-09T16:39:12.703288+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49768	132.226.8.169	80	TCP
2025-01-09T16:39:13.640790+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49768	132.226.8.169	80	TCP
2025-01-09T16:39:15.140772+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49790	132.226.8.169	80	TCP
2025-01-09T16:39:18.436587+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49807	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000E.00000002.4607215864.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7888110857:AAH_lE30nomQfyzYUPPXbGWeGI9ffBUijsQ/sendMessage?chat_id=7222025033", "Token": "7888110857:AAH_lE30nomQfyzYUPPXbGWeGI9ffBUijsQ", "Chat_id": "7222025033", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

ReversingLabs: Detection: 71%

Multi AV Scanner detection for submitted file

Source: Order_List.scr.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Order_List.scr.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Order_List.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49719 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49776 version: TLS 1.0

Source: Order_List.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 014BF1F6h	9_2_014BF007
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 014BFB80h	9_2_014BF007
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_014BE528
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_014BEB5B
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_014BED3C
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D8C041h	9_2_05D8BD98
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D81011h	9_2_05D80D60
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D8F009h	9_2_05D8ED60
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D8B791h	9_2_05D8B4E8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D8E759h	9_2_05D8E4B0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D80751h	9_2_05D804A0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D8DEA9h	9_2_05D8DC00
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D8DA51h	9_2_05D8D7A8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D8D1A1h	9_2_05D8CEF8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D8C8F1h	9_2_05D8C648
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D8F8B9h	9_2_05D8F610
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D81A38h	9_2_05D81620
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D81471h	9_2_05D811C0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D8C499h	9_2_05D8C1F0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D8F461h	9_2_05D8F1B8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D8BBE9h	9_2_05D8B940
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D81A38h	9_2_05D81966
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D8EBB1h	9_2_05D8E908
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D80BB1h	9_2_05D80900
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D8E301h	9_2_05D8E058
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D802F1h	9_2_05D80040
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D8D5F9h	9_2_05D8D350
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D8CD49h	9_2_05D8CAA0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 05D8FD11h	9_2_05D8FA68
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 06EA8945h	9_2_06EA8608
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 06EA6171h	9_2_06EA5EC8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 06EA58C1h	9_2_06EA5618
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 06EA6A21h	9_2_06EA6778
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 06EA7751h	9_2_06EA74A8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 06EA0741h	9_2_06EA0498
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 06EA0FF1h	9_2_06EA0D48
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 06EA8001h	9_2_06EA7D58
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 06EA5D19h	9_2_06EA5A70
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 06EA6E79h	9_2_06EA6BD0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	9_2_06EA33A8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	9_2_06EA33B8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 06EA65C9h	9_2_06EA6320
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 06EA0B99h	9_2_06EA08F0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 06EA02E9h	9_2_06EA0040
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 06EA72FAh	9_2_06EA7050
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 06EA8459h	9_2_06EA81B0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 06EA5441h	9_2_06EA5198
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 4x nop then jmp 06EA7BA9h	9_2_06EA7900
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then jmp 0106F1F6h	14_2_0106F007
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_0106E528
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then jmp 0106FB80h	14_2_0106F788
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then jmp 05738D4Dh	14_2_05738A10
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then jmp 05730FF1h	14_2_05730D48
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then jmp 05737FB1h	14_2_05737D08
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then jmp 05738861h	14_2_057385B8
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then jmp 05735849h	14_2_057355A0
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then jmp 05737702h	14_2_05737458
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then jmp 05730741h	14_2_05730498
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then jmp 057369D1h	14_2_05736728
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then jmp 05737281h	14_2_05736FD8
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	14_2_057337C0
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	14_2_057337B0
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then jmp 05736121h	14_2_05735E78
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then jmp 05738409h	14_2_05738160
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then jmp 057302E9h	14_2_05730040
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then jmp 05730B99h	14_2_057308F0
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then jmp 05737B59h	14_2_057378B0
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then jmp 05736E29h	14_2_05736B80
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then jmp 05735CC9h	14_2_05735A20
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then jmp 05736579h	14_2_057362D0
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	14_2_05733AD6

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Order_List.scr.exe.436a390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order_List.scr.exe.4349970.0.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49731 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49790 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49768 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49716 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49807 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49762 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49730 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49737 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49789 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49858 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49813 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49775 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49846 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49802 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49783 -> 104.21.64.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49719 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49776 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: Order_List.scr.exe, 00000009.00000002.4607797930.0000000003363000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003347000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003390000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003355000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000339F000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.00000000032A7000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000333A000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D8F000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002C97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Order_List.scr.exe, 00000009.00000002.4607797930.0000000003363000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003347000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003390000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003355000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000339F000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.00000000032A7000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.00000000032EA000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000333A000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000329B000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D8F000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002C8B000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002CDA000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002C97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Order_List.scr.exe, 00000009.00000002.4607797930.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Order_List.scr.exe, 00000000.00000002.2207129697.0000000004349000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4604593123.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Order_List.scr.exe, FTlLqTRGrXZr.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Order_List.scr.exe, FTlLqTRGrXZr.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Order_List.scr.exe, FTlLqTRGrXZr.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Order_List.scr.exe, 00000009.00000002.4607797930.0000000003363000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003347000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003390000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003355000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000339F000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000333A000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D8F000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Order_List.scr.exe, 00000000.00000002.2206154442.000000000338D000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000B.00000002.2277645088.00000000023F8000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Order_List.scr.exe, 00000009.00000002.4607797930.0000000003363000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003347000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003390000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003355000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000339F000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.00000000032A7000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.00000000032EA000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000333A000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D8F000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002CDA000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002C97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Order_List.scr.exe, 00000000.00000002.2207129697.0000000004349000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4604593123.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.00000000032A7000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002C97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002C97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: Order_List.scr.exe, 00000009.00000002.4607797930.0000000003363000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003347000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003390000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003355000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000339F000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.00000000032EA000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000333A000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D8F000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002CDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: Order_List.scr.exe, 00000009.00000002.4607797930.000000000333A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189H
Source: Order_List.scr.exe, FTlLqTRGrXZr.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Order_List.scr.exe.4349970.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Order_List.scr.exe.4349970.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Order_List.scr.exe.4349970.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Order_List.scr.exe.4349970.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Order_List.scr.exe.436a390.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Order_List.scr.exe.436a390.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Order_List.scr.exe.436a390.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Order_List.scr.exe.436a390.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Order_List.scr.exe.436a390.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Order_List.scr.exe.436a390.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Order_List.scr.exe.436a390.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Order_List.scr.exe.436a390.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Order_List.scr.exe.4349970.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Order_List.scr.exe.4349970.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Order_List.scr.exe.4349970.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Order_List.scr.exe.4349970.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000009.00000002.4604593123.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.4604593123.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2207129697.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2207129697.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Order_List.scr.exe PID: 1548, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Order_List.scr.exe PID: 1548, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Order_List.scr.exe PID: 5900, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Order_List.scr.exe PID: 5900, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Order_List.scr.exe

Source: C:\Users\user\Desktop\Order_List.scr.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 0_2_01993E0C	0_2_01993E0C
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 0_2_01997018	0_2_01997018
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 0_2_0586C570	0_2_0586C570
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 0_2_0586F39E	0_2_0586F39E
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 0_2_0586A810	0_2_0586A810
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 0_2_0586A820	0_2_0586A820
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 0_2_05910040	0_2_05910040
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 0_2_05910DFB	0_2_05910DFB
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 0_2_05910E08	0_2_05910E08
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_014B6108	9_2_014B6108
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_014BC190	9_2_014BC190
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_014BF007	9_2_014BF007
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_014BB328	9_2_014BB328
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_014BC470	9_2_014BC470
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_014BC754	9_2_014BC754
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_014B6730	9_2_014B6730
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_014B9858	9_2_014B9858
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_014BBBD3	9_2_014BBBD3
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_014BCA34	9_2_014BCA34
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_014B4AD9	9_2_014B4AD9
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_014BBEB0	9_2_014BBEB0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_014B3578	9_2_014B3578
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_014BE517	9_2_014BE517
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_014BE528	9_2_014BE528
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D87D90	9_2_05D87D90
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D88460	9_2_05D88460
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D83870	9_2_05D83870
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D873E8	9_2_05D873E8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8BD98	9_2_05D8BD98
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8BD88	9_2_05D8BD88
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8ED50	9_2_05D8ED50
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D80D51	9_2_05D80D51
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D80D60	9_2_05D80D60
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8ED60	9_2_05D8ED60
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8B4D7	9_2_05D8B4D7
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8B4E8	9_2_05D8B4E8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D80490	9_2_05D80490
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8E4B0	9_2_05D8E4B0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D804A0	9_2_05D804A0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8E4A0	9_2_05D8E4A0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8DC00	9_2_05D8DC00
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8D798	9_2_05D8D798
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8D7A8	9_2_05D8D7A8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8CEF8	9_2_05D8CEF8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8CEE9	9_2_05D8CEE9
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8C648	9_2_05D8C648
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8F610	9_2_05D8F610
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8F600	9_2_05D8F600
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8C638	9_2_05D8C638
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D811C0	9_2_05D811C0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8C1F0	9_2_05D8C1F0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8C1E0	9_2_05D8C1E0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8F1B8	9_2_05D8F1B8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D811B0	9_2_05D811B0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8F1A9	9_2_05D8F1A9
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8B940	9_2_05D8B940
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8E908	9_2_05D8E908
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D80900	9_2_05D80900
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8B930	9_2_05D8B930
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8E8F8	9_2_05D8E8F8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D808F0	9_2_05D808F0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8E058	9_2_05D8E058
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8E049	9_2_05D8E049
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D80040	9_2_05D80040
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D83860	9_2_05D83860
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D80007	9_2_05D80007
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8DBF1	9_2_05D8DBF1
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8D350	9_2_05D8D350
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8D340	9_2_05D8D340
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8CA90	9_2_05D8CA90
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8CAA0	9_2_05D8CAA0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8FA59	9_2_05D8FA59
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D8FA68	9_2_05D8FA68
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EAB6E8	9_2_06EAB6E8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EAD670	9_2_06EAD670
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA8608	9_2_06EA8608
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA8C57	9_2_06EA8C57
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EAA408	9_2_06EAA408
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EABD38	9_2_06EABD38
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EAAA58	9_2_06EAAA58
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EAC388	9_2_06EAC388
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EAB0A0	9_2_06EAB0A0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EAD028	9_2_06EAD028
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EAC9D8	9_2_06EAC9D8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA11A0	9_2_06EA11A0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EAB6E3	9_2_06EAB6E3
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA5EC8	9_2_06EA5EC8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA5EB8	9_2_06EA5EB8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EAD66B	9_2_06EAD66B
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA5609	9_2_06EA5609
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA5618	9_2_06EA5618
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA6778	9_2_06EA6778
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA3730	9_2_06EA3730
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA74A8	9_2_06EA74A8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA0488	9_2_06EA0488
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA0498	9_2_06EA0498
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA7497	9_2_06EA7497
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA4430	9_2_06EA4430
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA85FB	9_2_06EA85FB
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA0D48	9_2_06EA0D48
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA7D48	9_2_06EA7D48
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA7D58	9_2_06EA7D58
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA0D39	9_2_06EA0D39
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EABD37	9_2_06EABD37
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA5A60	9_2_06EA5A60
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA5A70	9_2_06EA5A70
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EAAA4F	9_2_06EAAA4F
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EAA3F8	9_2_06EAA3F8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA6BC1	9_2_06EA6BC1
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA6BD0	9_2_06EA6BD0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA33A8	9_2_06EA33A8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA33B8	9_2_06EA33B8
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EAC387	9_2_06EAC387
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA6320	9_2_06EA6320
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA6311	9_2_06EA6311
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA08E0	9_2_06EA08E0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA08F0	9_2_06EA08F0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA78F0	9_2_06EA78F0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA28B0	9_2_06EA28B0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA0040	9_2_06EA0040
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA7040	9_2_06EA7040
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA7050	9_2_06EA7050
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA0021	9_2_06EA0021
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EAD027	9_2_06EAD027
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA2807	9_2_06EA2807
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA2815	9_2_06EA2815
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EAC9D3	9_2_06EAC9D3
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA81A0	9_2_06EA81A0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA81B0	9_2_06EA81B0
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA518A	9_2_06EA518A
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA5198	9_2_06EA5198
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA1191	9_2_06EA1191
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_06EA7900	9_2_06EA7900
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 11_2_00803E0C	11_2_00803E0C
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 11_2_00807018	11_2_00807018
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 11_2_069124E8	11_2_069124E8
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 11_2_06914A20	11_2_06914A20
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 11_2_0691D6A8	11_2_0691D6A8
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 11_2_069124D7	11_2_069124D7
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 11_2_0691D270	11_2_0691D270
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 11_2_06911E00	11_2_06911E00
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 11_2_0691CE38	11_2_0691CE38
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 11_2_06911DF1	11_2_06911DF1
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 11_2_0691EDE0	11_2_0691EDE0
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 11_2_0691E998	11_2_0691E998
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 11_2_0691E9A8	11_2_0691E9A8
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_01066108	14_2_01066108
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0106C190	14_2_0106C190
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0106F007	14_2_0106F007
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0106B328	14_2_0106B328
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0106C473	14_2_0106C473
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_01066730	14_2_01066730
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0106C752	14_2_0106C752
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_01069858	14_2_01069858
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0106CA32	14_2_0106CA32
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_01064AD9	14_2_01064AD9
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0106BEB2	14_2_0106BEB2
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0106E517	14_2_0106E517
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0106E528	14_2_0106E528
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_01063572	14_2_01063572
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0106B4F2	14_2_0106B4F2
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0573BD40	14_2_0573BD40
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0573A410	14_2_0573A410
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0573D678	14_2_0573D678
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0573B6F0	14_2_0573B6F0
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0573C9E0	14_2_0573C9E0
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05739059	14_2_05739059
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0573D030	14_2_0573D030
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0573B0A8	14_2_0573B0A8
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0573C390	14_2_0573C390
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0573AA60	14_2_0573AA60
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05738A10	14_2_05738A10
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05730D48	14_2_05730D48
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0573BD30	14_2_0573BD30
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05730D39	14_2_05730D39
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05737D08	14_2_05737D08
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_057385B8	14_2_057385B8
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_057355A0	14_2_057355A0
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_057385A8	14_2_057385A8
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05735593	14_2_05735593
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05737458	14_2_05737458
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05737448	14_2_05737448
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05732C11	14_2_05732C11
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0573A400	14_2_0573A400
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05732C0F	14_2_05732C0F
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05737CF8	14_2_05737CF8
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05732CB8	14_2_05732CB8
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05730498	14_2_05730498
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05730488	14_2_05730488
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05736728	14_2_05736728
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0573671B	14_2_0573671B
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05736FD8	14_2_05736FD8
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_057337C0	14_2_057337C0
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05736FC9	14_2_05736FC9
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_057337B0	14_2_057337B0
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05735E78	14_2_05735E78
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0573D66B	14_2_0573D66B
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05735E68	14_2_05735E68
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0573B6E1	14_2_0573B6E1
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05738160	14_2_05738160
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05738150	14_2_05738150
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0573C9D0	14_2_0573C9D0
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_057311A0	14_2_057311A0
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05731191	14_2_05731191
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05730040	14_2_05730040
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05734838	14_2_05734838
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0573D020	14_2_0573D020
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05730007	14_2_05730007
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_057308F0	14_2_057308F0
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_057308E0	14_2_057308E0
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_057378B0	14_2_057378B0
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0573B097	14_2_0573B097
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0573789F	14_2_0573789F
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05736B73	14_2_05736B73
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05733B38	14_2_05733B38
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05736B80	14_2_05736B80
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0573C380	14_2_0573C380
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_0573AA57	14_2_0573AA57
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05735A20	14_2_05735A20
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05735A13	14_2_05735A13
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_05738A04	14_2_05738A04
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_057362D0	14_2_057362D0
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 14_2_057362C0	14_2_057362C0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe 3652DCDB4EAFF1A11FF293EEDB80363E024BDA7A33F1E1C17B082DFD4CEA5A86

Source: Order_List.scr.exe

Static PE information: invalid certificate

Source: Order_List.scr.exe, 00000000.00000002.2207129697.00000000045D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Order_List.scr.exe
Source: Order_List.scr.exe, 00000000.00000002.2202146272.000000000144E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Order_List.scr.exe
Source: Order_List.scr.exe, 00000000.00000000.2125682278.0000000000F42000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDIXo.exe: vs Order_List.scr.exe
Source: Order_List.scr.exe, 00000000.00000002.2210177325.0000000007900000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Order_List.scr.exe
Source: Order_List.scr.exe, 00000000.00000002.2206154442.000000000338D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Order_List.scr.exe
Source: Order_List.scr.exe, 00000000.00000002.2209588956.0000000005D20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Order_List.scr.exe
Source: Order_List.scr.exe, 00000000.00000002.2207129697.0000000004349000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Order_List.scr.exe
Source: Order_List.scr.exe, 00000009.00000002.4604844263.00000000012F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Order_List.scr.exe
Source: Order_List.scr.exe, 00000009.00000002.4604593123.0000000000422000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Order_List.scr.exe
Source: Order_List.scr.exe	Binary or memory string: OriginalFilenameDIXo.exe: vs Order_List.scr.exe

Source: Order_List.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Order_List.scr.exe.4349970.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Order_List.scr.exe.4349970.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Order_List.scr.exe.4349970.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Order_List.scr.exe.4349970.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Order_List.scr.exe.436a390.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Order_List.scr.exe.436a390.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Order_List.scr.exe.436a390.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Order_List.scr.exe.436a390.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Order_List.scr.exe.436a390.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Order_List.scr.exe.436a390.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Order_List.scr.exe.436a390.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Order_List.scr.exe.436a390.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Order_List.scr.exe.4349970.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Order_List.scr.exe.4349970.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Order_List.scr.exe.4349970.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Order_List.scr.exe.4349970.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000009.00000002.4604593123.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.4604593123.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2207129697.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2207129697.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Order_List.scr.exe PID: 1548, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Order_List.scr.exe PID: 1548, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Order_List.scr.exe PID: 5900, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Order_List.scr.exe PID: 5900, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: Order_List.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FTlLqTRGrXZr.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@2/2

Source: C:\Users\user\Desktop\Order_List.scr.exe

File created: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5008:120:WilError_03
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Mutant created: \Sessions\1\BaseNamedObjects\laoeILYAWbYsBdVIYEa
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03

Source: C:\Users\user\Desktop\Order_List.scr.exe

File created: C:\Users\user\AppData\Local\Temp\tmp5251.tmp

Jump to behavior

Source: Order_List.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Order_List.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Order_List.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Order_List.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Order_List.scr.exe, 00000009.00000002.4607797930.000000000342D000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000341D000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000343B000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4611428258.000000000426F000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003463000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000346F000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002E5E000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4610371320.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002E1C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Order_List.scr.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\Order_List.scr.exe

File read: C:\Users\user\Desktop\Order_List.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Order_List.scr.exe "C:\Users\user\Desktop\Order_List.scr.exe"
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_List.scr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTlLqTRGrXZr" /XML "C:\Users\user\AppData\Local\Temp\tmp5251.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process created: C:\Users\user\Desktop\Order_List.scr.exe "C:\Users\user\Desktop\Order_List.scr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTlLqTRGrXZr" /XML "C:\Users\user\AppData\Local\Temp\tmp6FCC.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process created: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe "C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe"
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_List.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTlLqTRGrXZr" /XML "C:\Users\user\AppData\Local\Temp\tmp5251.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process created: C:\Users\user\Desktop\Order_List.scr.exe "C:\Users\user\Desktop\Order_List.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTlLqTRGrXZr" /XML "C:\Users\user\AppData\Local\Temp\tmp6FCC.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process created: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe "C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\Order_List.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Order_List.scr.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Order_List.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Order_List.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Order_List.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Order_List.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 0_2_0199E5B4 push esp; retf	0_2_0199E5BD
Source: C:\Users\user\Desktop\Order_List.scr.exe	Code function: 9_2_05D82E78 push esp; iretd	9_2_05D82E79
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 11_2_0080E5B4 push esp; retf	11_2_0080E5BD
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Code function: 11_2_06913A88 push esp; iretd	11_2_06913A89

Source: Order_List.scr.exe	Static PE information: section name: .text entropy: 7.446253940033166
Source: FTlLqTRGrXZr.exe.0.dr	Static PE information: section name: .text entropy: 7.446253940033166

Source: C:\Users\user\Desktop\Order_List.scr.exe

File created: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Order_List.scr.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTlLqTRGrXZr" /XML "C:\Users\user\AppData\Local\Temp\tmp5251.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Order_List.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Order_List.scr.exe PID: 1548, type: MEMORYSTR

Source: C:\Users\user\Desktop\Order_List.scr.exe	Memory allocated: 1950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Memory allocated: 3340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Memory allocated: 3150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Memory allocated: 82A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Memory allocated: 92A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Memory allocated: C300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Memory allocated: 9450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Memory allocated: 14B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Memory allocated: 17C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Memory allocated: 800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Memory allocated: 23B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Memory allocated: 43B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Memory allocated: 6920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Memory allocated: 7920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Memory allocated: AE80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Memory allocated: 7AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Memory allocated: 1060000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Memory allocated: 2900000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 599196	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 598858	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 598460	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 598012	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 596999	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 596217	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 595654	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 595533	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 595074	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 594641	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 594422	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 599438
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 599078
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 598969
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 598844
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 598734
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 598625
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 598514
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 598397
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 598281
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 598172
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 598058
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 597953
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 597844
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 597625
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 597516
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 597391
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 597266
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 597156
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 597047
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 596938
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 596813
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 596688
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 596578
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 596469
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 596219
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 595985
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 595860
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 595735
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 595610
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 595485
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 595360
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 595235
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 594985
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 594844
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 594235

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7096	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 652	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7007	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 580	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Window / User API: threadDelayed 2021	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Window / User API: threadDelayed 7819	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Window / User API: threadDelayed 2273
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Window / User API: threadDelayed 7565

Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 1280	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5532	Thread sleep count: 7096 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7052	Thread sleep count: 652 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6568	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4976	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1088	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5704	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7212	Thread sleep count: 2021 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7212	Thread sleep count: 7819 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -599196s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -598858s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -598460s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -598012s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -597688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -597563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -597344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -596999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -596891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -596563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -596438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -596217s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -595891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -595766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -595654s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -595533s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -595074s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -594969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -594641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -594531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -594422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -594313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe TID: 7204	Thread sleep time: -594203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7196	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep count: 33 > 30
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7432	Thread sleep count: 2273 > 30
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7432	Thread sleep count: 7565 > 30
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -599766s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -599546s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -599438s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -599313s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -599188s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -599078s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -598969s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -598844s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -598734s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -598625s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -598514s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -598397s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -598281s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -598172s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -598058s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -597953s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -597844s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -597735s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -597625s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -597516s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -597391s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -597266s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -597156s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -597047s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -596938s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -596813s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -596688s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -596578s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -596469s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -596328s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -596219s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -596110s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -595985s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -595860s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -595735s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -595610s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -595485s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -595360s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -595235s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -595110s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -594985s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -594844s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -594735s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -594610s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -594485s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -594360s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe TID: 7428	Thread sleep time: -594235s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 599196	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 598858	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 598460	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 598012	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 596999	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 596217	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 595654	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 595533	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 595074	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 594641	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 594422	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 599438
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 599078
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 598969
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 598844
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 598734
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 598625
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 598514
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 598397
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 598281
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 598172
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 598058
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 597953
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 597844
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 597625
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 597516
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 597391
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 597266
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 597156
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 597047
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 596938
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 596813
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 596688
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 596578
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 596469
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 596219
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 595985
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 595860
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 595735
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 595610
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 595485
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 595360
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 595235
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 594985
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 594844
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Thread delayed: delay time: 594235

Source: Order_List.scr.exe, 00000009.00000002.4605952668.00000000015F6000.00000004.00000020.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4605651622.0000000000D78000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Order_List.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Order_List.scr.exe

Code function: 9_2_05D87D90 LdrInitializeThunk,

9_2_05D87D90

Source: C:\Users\user\Desktop\Order_List.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Order_List.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Order_List.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_List.scr.exe"
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe"
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_List.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Memory written: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Order_List.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_List.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTlLqTRGrXZr" /XML "C:\Users\user\AppData\Local\Temp\tmp5251.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Process created: C:\Users\user\Desktop\Order_List.scr.exe "C:\Users\user\Desktop\Order_List.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTlLqTRGrXZr" /XML "C:\Users\user\AppData\Local\Temp\tmp6FCC.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Process created: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe "C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Order_List.scr.exe	Queries volume information: C:\Users\user\Desktop\Order_List.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Queries volume information: C:\Users\user\Desktop\Order_List.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Queries volume information: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Queries volume information: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Order_List.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Order_List.scr.exe.5d20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order_List.scr.exe.5d20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2209588956.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Order_List.scr.exe.4349970.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order_List.scr.exe.436a390.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order_List.scr.exe.436a390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order_List.scr.exe.4349970.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4607215864.0000000002D8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4604593123.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4607797930.00000000033AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2207129697.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4607215864.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4607797930.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order_List.scr.exe PID: 1548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Order_List.scr.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FTlLqTRGrXZr.exe PID: 7344, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Order_List.scr.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\Order_List.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 0.2.Order_List.scr.exe.4349970.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order_List.scr.exe.436a390.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order_List.scr.exe.436a390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order_List.scr.exe.4349970.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4604593123.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2207129697.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order_List.scr.exe PID: 1548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Order_List.scr.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FTlLqTRGrXZr.exe PID: 7344, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Order_List.scr.exe.5d20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order_List.scr.exe.5d20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2209588956.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Order_List.scr.exe.4349970.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order_List.scr.exe.436a390.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order_List.scr.exe.436a390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order_List.scr.exe.4349970.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4607215864.0000000002D8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4604593123.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4607797930.00000000033AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2207129697.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4607215864.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4607797930.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order_List.scr.exe PID: 1548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Order_List.scr.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FTlLqTRGrXZr.exe PID: 7344, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	13 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Order_List.scr.exe	71%	ReversingLabs	Win32.Trojan.Znyonm
Order_List.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	71%	ReversingLabs	Win32.Trojan.Znyonm

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.64.1	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	Order_List.scr.exe, 00000009.00000002.4607797930.0000000003363000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003347000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003390000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003355000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000339F000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.00000000032A7000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.00000000032EA000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000333A000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D8F000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002CDA000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002C97000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189H	Order_List.scr.exe, 00000009.00000002.4607797930.000000000333A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	Order_List.scr.exe, 00000009.00000002.4607797930.0000000003363000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003347000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003390000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003355000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000339F000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.00000000032A7000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.00000000032EA000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000333A000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000329B000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D8F000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002C8B000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002CDA000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002C97000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	Order_List.scr.exe, 00000009.00000002.4607797930.0000000003363000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003347000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003390000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003355000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000339F000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.00000000032A7000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000333A000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D8F000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002C97000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Order_List.scr.exe, 00000000.00000002.2206154442.000000000338D000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000B.00000002.2277645088.00000000023F8000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	Order_List.scr.exe, FTlLqTRGrXZr.exe.0.dr	false	high
http://checkip.dyndns.org/q	Order_List.scr.exe, 00000000.00000002.2207129697.0000000004349000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4604593123.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	Order_List.scr.exe, 00000009.00000002.4607797930.0000000003363000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003347000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003390000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003355000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000339F000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.00000000032EA000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000333A000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D8F000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002CDA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	Order_List.scr.exe, 00000009.00000002.4607797930.0000000003363000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003347000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003390000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.0000000003355000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000339F000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.000000000333A000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D8F000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D45000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002D80000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	Order_List.scr.exe, 00000000.00000002.2207129697.0000000004349000.00000004.00000800.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4604593123.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Order_List.scr.exe, 00000009.00000002.4607797930.00000000032A7000.00000004.00000800.00020000.00000000.sdmp, FTlLqTRGrXZr.exe, 0000000E.00000002.4607215864.0000000002C97000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
104.21.64.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586804
Start date and time:	2025-01-09 16:38:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Order_List.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/15@2/2
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 100% Number of executed functions: 256 Number of non-executed functions: 50
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 13.107.246.45, 20.12.23.50, 20.109.210.53
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target FTlLqTRGrXZr.exe, PID 7344 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Order_List.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
10:38:57	API Interceptor	8884498x Sleep call for process: Order_List.scr.exe modified
10:39:03	API Interceptor	30x Sleep call for process: powershell.exe modified
10:39:06	API Interceptor	6339002x Sleep call for process: FTlLqTRGrXZr.exe modified
16:39:05	Task Scheduler	Run new task: FTlLqTRGrXZr path: C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
104.21.64.1	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	ordrr.statementquo.com/QCbxA/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	adsfirm.com/administrator/index.php
	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.bser101pp.buzz/v89f/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	104.21.48.1
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
checkip.dyndns.com	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	193.122.6.168
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	miori.ppc.elf	Get hash	malicious	Unknown	Browse	132.224.247.83
CLOUDFLARENETUS	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	Benefit_401k_2025_Enrollment.pdf	Get hash	malicious	Unknown	Browse	172.64.155.59
	https://ccml.io/	Get hash	malicious	Unknown	Browse	104.17.24.14
	http://readermodeext.info	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://bryf.atchirlisc.ru/EeMAGvIe/	Get hash	malicious	HTMLPhisher	Browse	172.64.41.3
	http://readermodeext.info	Get hash	malicious	Unknown	Browse	1.1.1.1
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	24EPV9vjc5.exe	Get hash	malicious	Unknown	Browse	172.67.174.91

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Nuevo pedido.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	104.21.64.1
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.64.1

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FTlLqTRGrXZr.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order_List.scr.exe.log

Download File

Process:	C:\Users\user\Desktop\Order_List.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380134126512796
Encrypted:	false
SSDEEP:	48:+WSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeoPUyus:+LHxvIIwLgZ2KRHWLOugYs
MD5:	9E8278CA2A1E910E91C9CADDD5751BE5
SHA1:	C07C44FB0217420F4D23DF44FAC0FB95CFB38B0D
SHA-256:	92B7A368F86D7BF972194EC5475B027C101B81DE2AB3A554E070F92D22DB39FD
SHA-512:	1646CC72DD2879D59CC08909C31738B8742888CA198C0A1F315C12608B2C3FB147485C03642DA86F91C630817563182DEA5038F585545B78DF82F230693D36C8
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ca333zeh.eqb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d52pqcyz.tuq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fa5pdexa.s53.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhmqiccc.shq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gv4ucgsn.z0m.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lc4yl3jc.4hi.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npv3wvow.uui.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p3hiayb1.sfc.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp5251.tmp

Download File

Process:	C:\Users\user\Desktop\Order_List.scr.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1599
Entropy (8bit):	5.104546477340978
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLUVLxv:cge7QYrFdOFzOzN33ODOiDdKrsuTy1v
MD5:	65E0B83BF406D606441352BD16A5A64E
SHA1:	46B6D456552767C9309DF9024F654B3E3C1266D8
SHA-256:	B170C4DE145504A92A3448967D18B2BD6EE79B33261B537F1515D2D3264DB627
SHA-512:	0D4C73222648347750EE3B6C9D457383DB9442C5515F48651ACBC09A6D7EF1D3CB1DE38CABE86FB13CFE17A0782302CC64D38903C762D3AE2CE1DDCD491F957D
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmp6FCC.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1599
Entropy (8bit):	5.104546477340978
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLUVLxv:cge7QYrFdOFzOzN33ODOiDdKrsuTy1v
MD5:	65E0B83BF406D606441352BD16A5A64E
SHA1:	46B6D456552767C9309DF9024F654B3E3C1266D8
SHA-256:	B170C4DE145504A92A3448967D18B2BD6EE79B33261B537F1515D2D3264DB627
SHA-512:	0D4C73222648347750EE3B6C9D457383DB9442C5515F48651ACBC09A6D7EF1D3CB1DE38CABE86FB13CFE17A0782302CC64D38903C762D3AE2CE1DDCD491F957D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Download File

Process:	C:\Users\user\Desktop\Order_List.scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	706056
Entropy (8bit):	7.444668333539724
Encrypted:	false
SSDEEP:	12288:xTWMWYMV+I4MVKWsXW+KiXe39JZArWHEkznuJVGZdkR:d/GRgjXWLYrvWA
MD5:	78A62A23291A3C7907E947BC9F270E09
SHA1:	A28A2DB1CACCA688A66A00ECD840AEDEAEF484D4
SHA-256:	3652DCDB4EAFF1A11FF293EEDB80363E024BDA7A33F1E1C17B082DFD4CEA5A86
SHA-512:	F690A98DDE16B8D5DB12ACC15B5BCF56B8F869773CAF080C16C5ED74A7A182252CFCCDFD3E1068D7761917E5F58DE6B03FBC452FDCFCEA2FE0D15BD3CB300FCA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Joe Sandbox View:	Filename: New order 2025.msg, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\|g..............0..r.............. ........@.. ....................................`.....................................O.......l................6........................................................... ............... ..H............text....p... ...r.................. ..`.rsrc...l............t..............@..@.reloc..............................@..B........................H.......PB...7......4....y...............................................0............}.....r...p(....}.....r...p(....}.....s....}......}......}.....(.......( .....{.....r7..pr9..p~5...%-.&~4.....R...s....%.5...(...+(...+~6...%-.&~4.....S...s....%.6...(...+...G...%..(...+s.....%.rK..p.%.rY..p...H...(....rs..p ............%...%...(........0..(..........}.....{....o.....s ...... ....(!...&F...}......(........0..............{.....X..}.....s...}......{....o"....o#...t.......(

C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Order_List.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.444668333539724
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Order_List.scr.exe
File size:	706'056 bytes
MD5:	78a62a23291a3c7907e947bc9f270e09
SHA1:	a28a2db1cacca688a66a00ecd840aedeaef484d4
SHA256:	3652dcdb4eaff1a11ff293eedb80363e024bda7a33f1e1c17b082dfd4cea5a86
SHA512:	f690a98dde16b8d5db12acc15b5bcf56b8f869773caf080c16c5ed74a7a182252cfccdfd3e1068d7761917e5f58de6b03fbc452fdcfcea2fe0d15bd3cb300fca
SSDEEP:	12288:xTWMWYMV+I4MVKWsXW+KiXe39JZArWHEkznuJVGZdkR:d/GRgjXWLYrvWA
TLSH:	08E48C5A0356E4C1D0D606BC24E3FBB782544D489A21C6C247ECFEA73AA3A5D790F1DB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\|g..............0..r............... ........@.. ....................................`................................

File Icon


Icon Hash:	13294d96922b2b0f

Static PE Info

General

Entrypoint:	0x4a90da
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x677CCDCC [Tue Jan 7 06:46:36 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa9088	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x196c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa9000	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xac000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa70e0	0xa7200	597c0a44777c7d6571bb78cac904f11e	False	0.7947027510284218	data	7.446253940033166	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x196c	0x1a00	2e8f7e86b31d4636742e8272abc18f8d	False	0.6536959134615384	data	6.005585155554715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xac000	0xc	0x200	bb315e5ebdd80561b3fc0870db6d3134	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xaa0e8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.8129432624113475
RT_ICON	0xaa560	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.7136491557223265
RT_GROUP_ICON	0xab618	0x22	data	0.9411764705882353
RT_VERSION	0xab64c	0x31c	data	0.43090452261306533

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T16:39:05.437709+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49716	132.226.8.169	80	TCP
2025-01-09T16:39:06.812648+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49716	132.226.8.169	80	TCP
2025-01-09T16:39:07.278025+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49730	104.21.64.1	443	TCP
2025-01-09T16:39:08.140840+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49731	132.226.8.169	80	TCP
2025-01-09T16:39:08.783110+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49737	104.21.64.1	443	TCP
2025-01-09T16:39:11.835557+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49762	104.21.64.1	443	TCP
2025-01-09T16:39:12.703288+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49768	132.226.8.169	80	TCP
2025-01-09T16:39:13.260564+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49775	104.21.64.1	443	TCP
2025-01-09T16:39:13.640790+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49768	132.226.8.169	80	TCP
2025-01-09T16:39:14.249800+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49783	104.21.64.1	443	TCP
2025-01-09T16:39:14.669333+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49789	104.21.64.1	443	TCP
2025-01-09T16:39:15.140772+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49790	132.226.8.169	80	TCP
2025-01-09T16:39:16.895405+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49802	104.21.64.1	443	TCP
2025-01-09T16:39:18.436587+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49807	132.226.8.169	80	TCP
2025-01-09T16:39:19.396707+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49813	104.21.64.1	443	TCP
2025-01-09T16:39:24.383897+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49846	104.21.64.1	443	TCP
2025-01-09T16:39:26.004692+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49858	104.21.64.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 16:39:04.324104071 CET	49716	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:04.328928947 CET	80	49716	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:04.329075098 CET	49716	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:04.329226017 CET	49716	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:04.333997011 CET	80	49716	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:05.108402014 CET	80	49716	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:05.133994102 CET	49716	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:05.138799906 CET	80	49716	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:05.389518976 CET	80	49716	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:05.437709093 CET	49716	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:05.542476892 CET	49719	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:05.542516947 CET	443	49719	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:05.543154001 CET	49719	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:05.609174013 CET	49719	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:05.609190941 CET	443	49719	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:06.071629047 CET	443	49719	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:06.071732998 CET	49719	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:06.074285030 CET	49719	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:06.074292898 CET	443	49719	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:06.074600935 CET	443	49719	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:06.125144005 CET	49719	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:06.234447956 CET	49719	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:06.279334068 CET	443	49719	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:06.369990110 CET	443	49719	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:06.370055914 CET	443	49719	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:06.370126963 CET	49719	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:06.377459049 CET	49719	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:06.386919975 CET	49716	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:06.391777039 CET	80	49716	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:06.665838957 CET	80	49716	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:06.668648005 CET	49730	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:06.668692112 CET	443	49730	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:06.669029951 CET	49730	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:06.669223070 CET	49730	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:06.669241905 CET	443	49730	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:06.812648058 CET	49716	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:07.126661062 CET	443	49730	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:07.129075050 CET	49730	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:07.129112959 CET	443	49730	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:07.278040886 CET	443	49730	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:07.278098106 CET	443	49730	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:07.278146029 CET	49730	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:07.278614998 CET	49730	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:07.281910896 CET	49716	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:07.282876015 CET	49731	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:07.286932945 CET	80	49716	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:07.287039042 CET	49716	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:07.287635088 CET	80	49731	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:07.287714005 CET	49731	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:07.287803888 CET	49731	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:07.292522907 CET	80	49731	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:08.079632044 CET	80	49731	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:08.083367109 CET	49737	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:08.083429098 CET	443	49737	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:08.086477041 CET	49737	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:08.140840054 CET	49731	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:08.150475025 CET	49737	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:08.150527000 CET	443	49737	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:08.632577896 CET	443	49737	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:08.634105921 CET	49737	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:08.634131908 CET	443	49737	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:08.783109903 CET	443	49737	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:08.783181906 CET	443	49737	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:08.783387899 CET	49737	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:08.783724070 CET	49737	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:08.788094044 CET	49743	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:08.792881012 CET	80	49743	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:08.792989969 CET	49743	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:08.793040991 CET	49743	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:08.797800064 CET	80	49743	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:09.596795082 CET	80	49743	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:09.599965096 CET	49750	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:09.600004911 CET	443	49750	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:09.600063086 CET	49750	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:09.600912094 CET	49750	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:09.600923061 CET	443	49750	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:09.703288078 CET	49743	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:10.065862894 CET	443	49750	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:10.067547083 CET	49750	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:10.067579985 CET	443	49750	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:10.219182968 CET	443	49750	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:10.219252110 CET	443	49750	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:10.219516039 CET	49750	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:10.219873905 CET	49750	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:10.223412991 CET	49743	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:10.224540949 CET	49756	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:10.228359938 CET	80	49743	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:10.228420019 CET	49743	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:10.229382992 CET	80	49756	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:10.229449034 CET	49756	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:10.229569912 CET	49756	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:10.234352112 CET	80	49756	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:11.059631109 CET	80	49756	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:11.061378956 CET	49762	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:11.061408043 CET	443	49762	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:11.061467886 CET	49762	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:11.061830044 CET	49762	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:11.061845064 CET	443	49762	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:11.109575033 CET	49756	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:11.532299995 CET	443	49762	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:11.533792019 CET	49762	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:11.533828020 CET	443	49762	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:11.587076902 CET	49768	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:11.593621969 CET	80	49768	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:11.593719959 CET	49768	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:11.594033003 CET	49768	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:11.598860025 CET	80	49768	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:11.835576057 CET	443	49762	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:11.835648060 CET	443	49762	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:11.835942030 CET	49762	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:11.836359978 CET	49762	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:11.839764118 CET	49756	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:11.840990067 CET	49769	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:11.844842911 CET	80	49756	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:11.844899893 CET	49756	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:11.845765114 CET	80	49769	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:11.845827103 CET	49769	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:11.845901966 CET	49769	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:11.850600958 CET	80	49769	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:12.387860060 CET	80	49768	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:12.391467094 CET	49768	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:12.396248102 CET	80	49768	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:12.648720980 CET	80	49769	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:12.649838924 CET	49775	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:12.649868965 CET	443	49775	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:12.649955988 CET	49775	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:12.650248051 CET	49775	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:12.650255919 CET	443	49775	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:12.656164885 CET	80	49768	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:12.694304943 CET	49776	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:12.694344997 CET	443	49776	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:12.694516897 CET	49776	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:12.699152946 CET	49776	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:12.699166059 CET	443	49776	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:12.703284979 CET	49769	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:12.703288078 CET	49768	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:13.107171059 CET	443	49775	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:13.117660999 CET	49775	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:13.117706060 CET	443	49775	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:13.157325983 CET	443	49776	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:13.157464027 CET	49776	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:13.159363985 CET	49776	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:13.159377098 CET	443	49776	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:13.161251068 CET	443	49776	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:13.203260899 CET	49776	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:13.216144085 CET	49776	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:13.259322882 CET	443	49776	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:13.260585070 CET	443	49775	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:13.260656118 CET	443	49775	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:13.260703087 CET	49775	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:13.261181116 CET	49775	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:13.264672041 CET	49769	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:13.266037941 CET	49782	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:13.269696951 CET	80	49769	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:13.269745111 CET	49769	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:13.271037102 CET	80	49782	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:13.271095991 CET	49782	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:13.271212101 CET	49782	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:13.276006937 CET	80	49782	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:13.323295116 CET	443	49776	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:13.323378086 CET	443	49776	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:13.323420048 CET	49776	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:13.326333046 CET	49776	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:13.330225945 CET	49768	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:13.335095882 CET	80	49768	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:13.592492104 CET	80	49768	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:13.595391989 CET	49783	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:13.595428944 CET	443	49783	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:13.595503092 CET	49783	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:13.595799923 CET	49783	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:13.595813990 CET	443	49783	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:13.640789986 CET	49768	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:14.059542894 CET	80	49782	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:14.060812950 CET	49789	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:14.060861111 CET	443	49789	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:14.060940027 CET	49789	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:14.061180115 CET	49789	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:14.061197996 CET	443	49789	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:14.081252098 CET	443	49783	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:14.083153009 CET	49783	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:14.083180904 CET	443	49783	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:14.109540939 CET	49782	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:14.249891043 CET	443	49783	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:14.250049114 CET	443	49783	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:14.250257015 CET	49783	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:14.250896931 CET	49783	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:14.255951881 CET	49768	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:14.257328987 CET	49790	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:14.261039019 CET	80	49768	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:14.261194944 CET	49768	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:14.262121916 CET	80	49790	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:14.262228966 CET	49790	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:14.262495041 CET	49790	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:14.267257929 CET	80	49790	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:14.541240931 CET	443	49789	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:14.545521975 CET	49789	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:14.545561075 CET	443	49789	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:14.669361115 CET	443	49789	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:14.669431925 CET	443	49789	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:14.669930935 CET	49789	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:14.670017004 CET	49789	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:14.673306942 CET	49782	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:14.674938917 CET	49793	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:14.678333044 CET	80	49782	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:14.678527117 CET	49782	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:14.679702044 CET	80	49793	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:14.679892063 CET	49793	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:14.680147886 CET	49793	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:14.684895992 CET	80	49793	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:15.092946053 CET	80	49790	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:15.094263077 CET	49800	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:15.094294071 CET	443	49800	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:15.097728014 CET	49800	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:15.097728014 CET	49800	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:15.097764015 CET	443	49800	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:15.140772104 CET	49790	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:15.490457058 CET	80	49793	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:15.491763115 CET	49802	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:15.491796970 CET	443	49802	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:15.491862059 CET	49802	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:15.492202044 CET	49802	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:15.492213964 CET	443	49802	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:15.531656027 CET	49793	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:15.928788900 CET	443	49800	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:15.930434942 CET	49800	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:15.930474997 CET	443	49800	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:16.535389900 CET	443	49800	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:16.535455942 CET	443	49800	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:16.535554886 CET	49800	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:16.535907984 CET	49800	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:16.539194107 CET	49790	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:16.540590048 CET	49807	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:16.544125080 CET	80	49790	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:16.544193983 CET	49790	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:16.545437098 CET	80	49807	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:16.545569897 CET	49807	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:16.545597076 CET	49807	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:16.550421000 CET	80	49807	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:16.711138010 CET	443	49802	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:16.712647915 CET	49802	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:16.712676048 CET	443	49802	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:16.895342112 CET	443	49802	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:16.895411968 CET	443	49802	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:16.895661116 CET	49802	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:16.895961046 CET	49802	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:18.435931921 CET	80	49807	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:18.436458111 CET	80	49807	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:18.436587095 CET	49807	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:18.436901093 CET	80	49807	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:18.436935902 CET	49807	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:18.437201023 CET	80	49807	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:18.437241077 CET	49807	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:18.437866926 CET	49813	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:18.437912941 CET	443	49813	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:18.437974930 CET	49813	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:18.438278913 CET	49813	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:18.438288927 CET	443	49813	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:19.207645893 CET	443	49813	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:19.217411041 CET	49813	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:19.217500925 CET	443	49813	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:19.396800995 CET	443	49813	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:19.396970034 CET	443	49813	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:19.397116899 CET	49813	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:19.397455931 CET	49813	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:19.402008057 CET	49819	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:19.406867981 CET	80	49819	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:19.407155037 CET	49819	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:19.407155037 CET	49819	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:19.411976099 CET	80	49819	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:20.213387012 CET	80	49819	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:20.214936018 CET	49825	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:20.214981079 CET	443	49825	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:20.215334892 CET	49825	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:20.215605021 CET	49825	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:20.215620041 CET	443	49825	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:20.265898943 CET	49819	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:20.795824051 CET	443	49825	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:20.798589945 CET	49825	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:20.798629999 CET	443	49825	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:20.938739061 CET	443	49825	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:20.938900948 CET	443	49825	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:20.939028978 CET	49825	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:20.939760923 CET	49825	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:20.944289923 CET	49819	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:20.945450068 CET	49831	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:20.949246883 CET	80	49819	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:20.949318886 CET	49819	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:20.950309038 CET	80	49831	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:20.950376987 CET	49831	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:20.950530052 CET	49831	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:20.956126928 CET	80	49831	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:21.863544941 CET	80	49831	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:21.865107059 CET	49838	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:21.865144014 CET	443	49838	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:21.865269899 CET	49838	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:21.865508080 CET	49838	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:21.865516901 CET	443	49838	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:21.906436920 CET	49831	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:22.396214008 CET	443	49838	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:22.398134947 CET	49838	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:22.398178101 CET	443	49838	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:22.542514086 CET	443	49838	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:22.542586088 CET	443	49838	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:22.542665005 CET	49838	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:22.543147087 CET	49838	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:22.546363115 CET	49831	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:22.551305056 CET	80	49831	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:22.551321983 CET	49842	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:22.551366091 CET	49831	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:22.556174040 CET	80	49842	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:22.556371927 CET	49842	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:22.556435108 CET	49842	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:22.564443111 CET	80	49842	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:23.787107944 CET	80	49842	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:23.788438082 CET	49846	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:23.788491964 CET	443	49846	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:23.789906979 CET	49846	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:23.790226936 CET	49846	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:23.790241003 CET	443	49846	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:23.828536987 CET	49842	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:24.246759892 CET	443	49846	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:24.248522997 CET	49846	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:24.248609066 CET	443	49846	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:24.383991957 CET	443	49846	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:24.384164095 CET	443	49846	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:24.384241104 CET	49846	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:24.384639978 CET	49846	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:24.388025999 CET	49842	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:24.389089108 CET	49852	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:24.392976046 CET	80	49842	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:24.393259048 CET	49842	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:24.393865108 CET	80	49852	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:24.393953085 CET	49852	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:24.394098997 CET	49852	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:24.398960114 CET	80	49852	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:25.188147068 CET	80	49852	132.226.8.169	192.168.2.6
Jan 9, 2025 16:39:25.190484047 CET	49858	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:25.190526962 CET	443	49858	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:25.190963984 CET	49858	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:25.190963984 CET	49858	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:25.191001892 CET	443	49858	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:25.234576941 CET	49852	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:39:25.672802925 CET	443	49858	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:25.674365044 CET	49858	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:25.674382925 CET	443	49858	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:26.004766941 CET	443	49858	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:26.004911900 CET	443	49858	104.21.64.1	192.168.2.6
Jan 9, 2025 16:39:26.004992962 CET	49858	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:39:26.016736031 CET	49858	443	192.168.2.6	104.21.64.1
Jan 9, 2025 16:40:13.080948114 CET	80	49731	132.226.8.169	192.168.2.6
Jan 9, 2025 16:40:13.081007004 CET	49731	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:40:20.450439930 CET	80	49793	132.226.8.169	192.168.2.6
Jan 9, 2025 16:40:20.450490952 CET	49793	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:40:22.439243078 CET	80	49807	132.226.8.169	192.168.2.6
Jan 9, 2025 16:40:22.439320087 CET	49807	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:40:30.345988035 CET	80	49852	132.226.8.169	192.168.2.6
Jan 9, 2025 16:40:30.349658012 CET	49852	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:40:30.551332951 CET	80	49852	132.226.8.169	192.168.2.6
Jan 9, 2025 16:40:30.552952051 CET	49852	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:40:55.500807047 CET	49793	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:40:55.506128073 CET	80	49793	132.226.8.169	192.168.2.6
Jan 9, 2025 16:41:05.203572035 CET	49852	80	192.168.2.6	132.226.8.169
Jan 9, 2025 16:41:05.208532095 CET	80	49852	132.226.8.169	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 16:39:04.309930086 CET	51443	53	192.168.2.6	1.1.1.1
Jan 9, 2025 16:39:04.318228960 CET	53	51443	1.1.1.1	192.168.2.6
Jan 9, 2025 16:39:05.473973989 CET	56586	53	192.168.2.6	1.1.1.1
Jan 9, 2025 16:39:05.481153011 CET	53	56586	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 16:39:04.309930086 CET	192.168.2.6	1.1.1.1	0x154b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:39:05.473973989 CET	192.168.2.6	1.1.1.1	0x9d76	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 16:39:04.318228960 CET	1.1.1.1	192.168.2.6	0x154b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 16:39:04.318228960 CET	1.1.1.1	192.168.2.6	0x154b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:39:04.318228960 CET	1.1.1.1	192.168.2.6	0x154b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:39:04.318228960 CET	1.1.1.1	192.168.2.6	0x154b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:39:04.318228960 CET	1.1.1.1	192.168.2.6	0x154b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:39:04.318228960 CET	1.1.1.1	192.168.2.6	0x154b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:39:05.481153011 CET	1.1.1.1	192.168.2.6	0x9d76	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:39:05.481153011 CET	1.1.1.1	192.168.2.6	0x9d76	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:39:05.481153011 CET	1.1.1.1	192.168.2.6	0x9d76	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:39:05.481153011 CET	1.1.1.1	192.168.2.6	0x9d76	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:39:05.481153011 CET	1.1.1.1	192.168.2.6	0x9d76	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:39:05.481153011 CET	1.1.1.1	192.168.2.6	0x9d76	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:39:05.481153011 CET	1.1.1.1	192.168.2.6	0x9d76	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49716	132.226.8.169	80	5900	C:\Users\user\Desktop\Order_List.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:39:04.329226017 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:39:05.108402014 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:04 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 16:39:05.133994102 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 16:39:05.389518976 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 16:39:06.386919975 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 16:39:06.665838957 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49731	132.226.8.169	80	5900	C:\Users\user\Desktop\Order_List.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:39:07.287803888 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 16:39:08.079632044 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49743	132.226.8.169	80	5900	C:\Users\user\Desktop\Order_List.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:39:08.793040991 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:39:09.596795082 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49756	132.226.8.169	80	5900	C:\Users\user\Desktop\Order_List.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:39:10.229569912 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:39:11.059631109 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49768	132.226.8.169	80	7344	C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:39:11.594033003 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:39:12.387860060 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 16:39:12.391467094 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 16:39:12.656164885 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 16:39:13.330225945 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 16:39:13.592492104 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49769	132.226.8.169	80	5900	C:\Users\user\Desktop\Order_List.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:39:11.845901966 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:39:12.648720980 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49782	132.226.8.169	80	5900	C:\Users\user\Desktop\Order_List.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:39:13.271212101 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:39:14.059542894 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49790	132.226.8.169	80	7344	C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:39:14.262495041 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 16:39:15.092946053 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49793	132.226.8.169	80	5900	C:\Users\user\Desktop\Order_List.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:39:14.680147886 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:39:15.490457058 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49807	132.226.8.169	80	7344	C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:39:16.545597076 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 16:39:18.435931921 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 16:39:18.436458111 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 16:39:18.436901093 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 16:39:18.437201023 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49819	132.226.8.169	80	7344	C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:39:19.407155037 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:39:20.213387012 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49831	132.226.8.169	80	7344	C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:39:20.950530052 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:39:21.863544941 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49842	132.226.8.169	80	7344	C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:39:22.556435108 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:39:23.787107944 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49852	132.226.8.169	80	7344	C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:39:24.394098997 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:39:25.188147068 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49719	104.21.64.1	443	5900	C:\Users\user\Desktop\Order_List.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:39:06 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 15:39:06 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:06 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751935 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7Ul6cLm4xigoX5ObmCfBOu%2FlOgdB0vQss9RgyD2NTQT8UVMfuSowspW%2Bph%2F%2B95SwNfQrLwr6xyd4P3EN%2BM5N8YY826FJXuhwFbgNQa71E4OYFQITw6T93jYj1EH99ziVtE2E8jEA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff584a469867c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2029&min_rtt=2026&rtt_var=767&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1419543&cwnd=218&unsent_bytes=0&cid=f436573e2faf3ffb&ts=309&x=0"
2025-01-09 15:39:06 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49730	104.21.64.1	443	5900	C:\Users\user\Desktop\Order_List.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:39:07 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 15:39:07 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:07 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751936 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DFm%2F6s6tKAz%2BfqVDsZMlI%2FGNkOEgenT83fCafJ5yHVFch%2B6r3qpCiLO3y8tZbdsQLnqJwMAaVvkCRaVu517y2dJJiUw%2BBEaTYxcUdJvMvRy5tvC1ZTOd3QQMFDAyuLGktm3BTu9t"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff584aa18b18ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1940&min_rtt=1937&rtt_var=733&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1486005&cwnd=168&unsent_bytes=0&cid=bf79d8a5c51c403a&ts=158&x=0"
2025-01-09 15:39:07 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49737	104.21.64.1	443	5900	C:\Users\user\Desktop\Order_List.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:39:08 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 15:39:08 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:08 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751937 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BefR0tVer40s6%2B3EAjyKh8pVKHTGihy2VKTrsagRqGCzmaKv2hk8RtryQ5Db1Nmfa0VEvmGwQuG7OgfePxA26d%2F%2BHoDfzPtIDotfLwcxzfw6QbJddAk5ZhT3npZ05oSJCxb84wAr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff584b38aee8ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1963&min_rtt=1955&rtt_var=750&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1443400&cwnd=168&unsent_bytes=0&cid=ef8ed7f2c6702aba&ts=153&x=0"
2025-01-09 15:39:08 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49750	104.21.64.1	443	5900	C:\Users\user\Desktop\Order_List.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:39:10 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 15:39:10 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:10 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751939 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rcRa2RCH0pbIu2ffiZFIH08oPnItwWaP4fZM%2FrbIWBfuFR7n1EukIoDzTn1BlM8ERh%2BmHv%2Frm%2FxHcDLLpDtUqunGKMjNivVwdHRhhDss0nZl5Z6nobtCkh9nhDhJ8FLPpQ4KrAS3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff584bc783042e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1727&min_rtt=1721&rtt_var=658&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1645997&cwnd=240&unsent_bytes=0&cid=d9fa0962f091fc31&ts=159&x=0"
2025-01-09 15:39:10 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49762	104.21.64.1	443	5900	C:\Users\user\Desktop\Order_List.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:39:11 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 15:39:11 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:11 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751940 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iU%2FWGnzHU6afu6EkR36xo0iElF0ehZO3bSFZAtu2ue19nhe7Wmu11Duo2JNdxk%2BI01RuI65IreTyhHngHrTuH5g3cGphMgLo3bw3GAMu2UO5m4lSWNUAO5aolfJLC71%2FwGnAwMWj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff584c5bee18ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2092&min_rtt=2016&rtt_var=810&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1448412&cwnd=168&unsent_bytes=0&cid=3239c07cacf3bca9&ts=171&x=0"
2025-01-09 15:39:11 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49775	104.21.64.1	443	5900	C:\Users\user\Desktop\Order_List.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:39:13 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 15:39:13 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:13 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751942 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5Fi8cibrzyPDOqKg%2BNF2uF6E%2BcYj1FIsbpXc7cZEv4WDlXHoRIvENKzIRUjuzZLVDyeVQ71CbQBsJXpNeUqr%2F%2FsuekStBlRVt6rGv8NXYGkwgxNCvkbwDSCHMzRSPVL1n3k84lQB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff584cf8db1de95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1589&min_rtt=1580&rtt_var=611&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1763285&cwnd=242&unsent_bytes=0&cid=1c2a77afd8edee77&ts=162&x=0"
2025-01-09 15:39:13 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49776	104.21.64.1	443	7344	C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:39:13 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 15:39:13 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:13 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751942 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qvc8OB2nzqBAVcAVuhCKJTqRdetXNp8bXwddxKna%2BWrNRerhWCjlGI9rjxOFEFStW95zq8Uxyj9y2vu0hIopfxUvqZa4hGVBz5PUN3WbafIL%2BpSb7blZeD0NArPhBjksR29kAPxz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff584cfee5c7c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1972&min_rtt=1966&rtt_var=749&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1449851&cwnd=218&unsent_bytes=0&cid=03e9fcdffe6dc482&ts=170&x=0"
2025-01-09 15:39:13 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49783	104.21.64.1	443	7344	C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:39:14 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 15:39:14 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:14 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751943 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cqdRYIk8aEGCCr4sa4u7yJxaMc%2FFEYmMqthhZdJpMtfjDD0EXYAYi6BQ3apOMD1UgLovYWD3CWo7FzMBCUX54RHbzLfkxkzNXSrHsKTYoNOzW5eAzeZoFVv%2FiLLq16QT0IC4TOLH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff584d569a74414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1758&min_rtt=1756&rtt_var=663&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1645070&cwnd=180&unsent_bytes=0&cid=2e9ff54d9a413bc3&ts=177&x=0"
2025-01-09 15:39:14 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49789	104.21.64.1	443	5900	C:\Users\user\Desktop\Order_List.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:39:14 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 15:39:14 UTC	851	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:14 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751943 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Rs1xkaIBvkDjDW9xZ9B0d9QqdGFncv3h3XArxAyS3pkzBdSvddNra9RayKukJs4j6eoxzRnlwzGuNw0Vv5a4y45gL3lROVa6i1SwHM1Sgv2Rl8ds5N9N%2BXFZ5sQJIEi5MKvJOL8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff584d85e124414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1770&min_rtt=1767&rtt_var=670&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1624930&cwnd=180&unsent_bytes=0&cid=761f622596a73054&ts=131&x=0"
2025-01-09 15:39:14 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49800	104.21.64.1	443	7344	C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:39:15 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 15:39:16 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751945 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JKiiyMVCIXsOawTZwdBpMqTpYhKxkyfyjS6foXZyG3SMxZK03kIdOBfaSpXC0H8VnPQHwLW28aPWsy2QpID%2FskXkVC4XaPhceOws68DjlsZXc%2F2JL0Z3pAr4y5%2FnskQoyuK3NbiK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff584e2fcf47c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=85720&min_rtt=82833&rtt_var=36837&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=27564&cwnd=218&unsent_bytes=0&cid=df42b2fb975587cd&ts=556&x=0"
2025-01-09 15:39:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49802	104.21.64.1	443	5900	C:\Users\user\Desktop\Order_List.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:39:16 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 15:39:16 UTC	856	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751945 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6YWOdna7wEHlfy9kSqVWYZwRhYvzhx2wwPiXcmifhlRSNyrT6vTeqrmDbmT5U21diehZSn3gDfQSbV6gx5S6fYwr4%2F77U94g9KKcTOJfNL1ut9k7IeUXAuPS%2BC8uPAcV9z5C2AIj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff584e62c248ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=60038&min_rtt=2050&rtt_var=35164&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1424390&cwnd=168&unsent_bytes=0&cid=954ef19a4ea44b08&ts=173&x=0"
2025-01-09 15:39:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49813	104.21.64.1	443	7344	C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:39:19 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 15:39:19 UTC	862	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:19 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751948 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zXHuauTr2Fda%2FEY1xwUslwvpXv7N201mzRyJVUV3%2Fr9SYa1OscXKTHii%2F%2BxgZmNNI4XtsDIJ9R93uRfS78d0J9Vld1gSb%2FfYJG2mkrwVgbBfnEYIk2epQInAuMqexTNGFaOd6izO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff584f5dc19de95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=73478&min_rtt=14201&rtt_var=41810&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=205619&cwnd=242&unsent_bytes=0&cid=4b66819f07deaea9&ts=200&x=0"
2025-01-09 15:39:19 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49825	104.21.64.1	443	7344	C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:39:20 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 15:39:20 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:20 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751950 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FzxmBqyQ%2Fn9INW7gQBLd8DHLORc3YgkrJSc5FqjCgXzVldui43umN02Fm6AYL9gUnrHKFtW2oKcWlF8NWZoSP4liIAaMs8hyU%2BzDKQ6wip0HpZ6ydby%2B5RNkFqvEmMlfGtqiV9zT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff584ff8aebde95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1655&min_rtt=1643&rtt_var=625&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1777236&cwnd=242&unsent_bytes=0&cid=e0b49f7655492281&ts=273&x=0"
2025-01-09 15:39:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49838	104.21.64.1	443	7344	C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:39:22 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 15:39:22 UTC	865	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:22 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751951 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KX0R8itMpS%2BU2poXA4lcVs3zpA88pYGelEqkgWkg2QT%2BnHtA%2B1r2AUN5YfduRbE%2BCclvaoB9mzPqaBrhvkTDr%2B8pxHpDUMjIbgvyE6X3cBUi7XZFND%2Bb9Ol8INWbgKxmuw%2FkWyOS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff585098efa42e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=20451&min_rtt=19557&rtt_var=9123&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=109301&cwnd=240&unsent_bytes=0&cid=e77a6eae2d477f65&ts=178&x=0"
2025-01-09 15:39:22 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49846	104.21.64.1	443	7344	C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:39:24 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 15:39:24 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:24 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751953 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PtHYa6wzOR67Psu%2FFT%2FDJNUowg80WgVa6ycfRNbmN3PZzAHDJF58vN4NLuQGElQlffWG%2B1csmm5YCMjtneZsBztJZI2u790Cb%2BL4u2joCb5LgwrHZ85dbHaM8W4uqX3A4Dz%2FYPil"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff585150db94414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1818&min_rtt=1812&rtt_var=684&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1611479&cwnd=180&unsent_bytes=0&cid=e6b187304d3ade4a&ts=136&x=0"
2025-01-09 15:39:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49858	104.21.64.1	443	7344	C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:39:25 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 15:39:26 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:39:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751954 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6PtAcp8HoZISZ0E90rJhHQLMiYa0Di4Nu6H4Eq8GJWq2N2MgkiddEzypJCv%2BoM1wB%2BpfWAywXkJ2fc3hTNVZk9eFwhXFCEQ75aPslRMtTJrFxd0m2CvPhTBQLeE5kryWHcdYBfdN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff5851dff33de95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1630&min_rtt=1595&rtt_var=623&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1830721&cwnd=242&unsent_bytes=0&cid=1ba5f2ccea474bb2&ts=148&x=0"
2025-01-09 15:39:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	10:38:57
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\Order_List.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Order_List.scr.exe"
Imagebase:	0xf40000
File size:	706'056 bytes
MD5 hash:	78A62A23291A3C7907E947BC9F270E09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2209588956.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2207129697.0000000004349000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2207129697.0000000004349000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2207129697.0000000004349000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2207129697.0000000004349000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:39:02
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order_List.scr.exe"
Imagebase:	0xd60000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:39:02
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:39:02
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe"
Imagebase:	0xd60000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:39:02
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:39:02
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTlLqTRGrXZr" /XML "C:\Users\user\AppData\Local\Temp\tmp5251.tmp"
Imagebase:	0xd0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:39:02
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:39:02
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\Order_List.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Order_List.scr.exe"
Imagebase:	0xe40000
File size:	706'056 bytes
MD5 hash:	78A62A23291A3C7907E947BC9F270E09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4604593123.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.4604593123.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.4604593123.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000009.00000002.4604593123.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.4607797930.00000000033AC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.4607797930.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	10:39:04
Start date:	09/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:39:05
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe
Imagebase:	0x10000
File size:	706'056 bytes
MD5 hash:	78A62A23291A3C7907E947BC9F270E09
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:39:10
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTlLqTRGrXZr" /XML "C:\Users\user\AppData\Local\Temp\tmp6FCC.tmp"
Imagebase:	0xd0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:39:10
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:39:10
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\FTlLqTRGrXZr.exe"
Imagebase:	0x780000
File size:	706'056 bytes
MD5 hash:	78A62A23291A3C7907E947BC9F270E09
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.4607215864.0000000002D8F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.4607215864.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	190
Total number of Limit Nodes:	7

Executed Functions

Function 0586F39E Relevance: 1.8, Strings: 1, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D, xrefs: 0586F3A3

Memory Dump Source

Source File: 00000000.00000002.2209041427.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_Order_List.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 122898029671c25434c7c85665ee340245e5b5c214cef3a1ae4e4279d69ee89c
Instruction ID: 0cbd87a58023db379084c2e3c7b04beb2bfd96c8d7b946ec50d2e354ab84e162
Opcode Fuzzy Hash: 122898029671c25434c7c85665ee340245e5b5c214cef3a1ae4e4279d69ee89c
Instruction Fuzzy Hash: 4B52A574A002299FDB64DF64D898B9DBBB2FF89310F1081D9D509A73A5DB30AE85CF50

Function 0586C570 Relevance: .7, Instructions: 719COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209041427.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbabe47d4cbe241e1746be522b88dcc43b4290273bc492b293f8dfed305afc3c
Instruction ID: 2930933a1ffb144efb481a94380314c51b9d0f1b8b75f5bfa3261205c1e97387
Opcode Fuzzy Hash: fbabe47d4cbe241e1746be522b88dcc43b4290273bc492b293f8dfed305afc3c
Instruction Fuzzy Hash: 7B524A75B00115DFDB18DF69C898A6EBBB2BF88710B158169E956DB360DB30EC42CB90

Function 01997018 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2205792915.0000000001990000.00000040.00000800.00020000.00000000.sdmp, Offset: 01990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1990000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b03434b6dd0bab64807c50b64b790f7347181837ce9a4d497f556bef12fab3a
Instruction ID: f4e21a6c051d89426ead9f5bc8b3f43c94ada6bd042a3afd9f89362798e34d04
Opcode Fuzzy Hash: 7b03434b6dd0bab64807c50b64b790f7347181837ce9a4d497f556bef12fab3a
Instruction Fuzzy Hash: D0A1A074E002199FDF15DFA9D844AAEBBF6FF88300F109169E908AB355DB346946CF50

Function 01993E0C Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2205792915.0000000001990000.00000040.00000800.00020000.00000000.sdmp, Offset: 01990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1990000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 979d25e6cec133a13ce8c8d331b5dc0ae77c7a1ce7157ba8734cd6e33967d4f4
Instruction ID: 84a74c7a0fef22d721abcfe6e26d746e7306c2d5a5e871e25b8d057befcfbd17
Opcode Fuzzy Hash: 979d25e6cec133a13ce8c8d331b5dc0ae77c7a1ce7157ba8734cd6e33967d4f4
Instruction Fuzzy Hash: C0A1A074E00219DFDB19DFA9D884AAEBBF6FF88300F109169E909A7355DB306945CF50

Function 0199BB40 Relevance: 1.7, APIs: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2205792915.0000000001990000.00000040.00000800.00020000.00000000.sdmp, Offset: 01990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1990000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7abc0a26a7ee4c9bbc6039e79f4d8c1a913406e1a5627abbb64e1be89f42cb7d
Instruction ID: 09a24ce5896cb545180c4831b6122b363ca3bfa561dacc27d83c6488164b6fec
Opcode Fuzzy Hash: 7abc0a26a7ee4c9bbc6039e79f4d8c1a913406e1a5627abbb64e1be89f42cb7d
Instruction Fuzzy Hash: 39815770A00B458FEB24DF2DE444B5ABBF5FF88200F00892DD48ADBA41DB79E845CB91

Function 059125B0 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 059127C2

Memory Dump Source

Source File: 00000000.00000002.2209072743.0000000005910000.00000040.00000800.00020000.00000000.sdmp, Offset: 05910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5910000_Order_List.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0a36c528b72157ec7447186210ba07ab25b9123ad94d70075c883d8b84cbffb9
Instruction ID: 0e7ae88f79a407bdd2e844d711234dda3987ccbbcd6974b21fed10fa2fccdd55
Opcode Fuzzy Hash: 0a36c528b72157ec7447186210ba07ab25b9123ad94d70075c883d8b84cbffb9
Instruction Fuzzy Hash: 785142B4D143599FDF05CFAAC840ADDBFB1BF48310F24815AE814AB251DB74A841CF54

Function 05912593 Relevance: 1.6, APIs: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 059127C2

Memory Dump Source

Source File: 00000000.00000002.2209072743.0000000005910000.00000040.00000800.00020000.00000000.sdmp, Offset: 05910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5910000_Order_List.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 233bf6e5c8eec9a7b9cff0edb6bf7726224ad5969fa5cdc39e56fb976c38160d
Instruction ID: 7ee3b1e5fc92908bf30cc19ecf5fa2bfcebde429d322b5f440ec6536cc045e66
Opcode Fuzzy Hash: 233bf6e5c8eec9a7b9cff0edb6bf7726224ad5969fa5cdc39e56fb976c38160d
Instruction Fuzzy Hash: D851EFB5D04359DFDF14DF9AC884ADEBBB5BF88310F24812AE819AB250D774A841CF94

Function 05912613 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 059127C2

Memory Dump Source

Source File: 00000000.00000002.2209072743.0000000005910000.00000040.00000800.00020000.00000000.sdmp, Offset: 05910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5910000_Order_List.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 10aaf0b63e297953a9f0224aafda8c79b301e34d0208e294be3bbcc6447508d0
Instruction ID: 07088e087792727e976749e9d743317b861c1af6c241857abcf803be506262b6
Opcode Fuzzy Hash: 10aaf0b63e297953a9f0224aafda8c79b301e34d0208e294be3bbcc6447508d0
Instruction Fuzzy Hash: B351E1B5D00319DFDF14CF9AC884ADEBBB5BF48310F24812AE819AB250D774A841CF94

Function 059125B3 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 059127C2

Memory Dump Source

Source File: 00000000.00000002.2209072743.0000000005910000.00000040.00000800.00020000.00000000.sdmp, Offset: 05910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5910000_Order_List.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 182d5b950e70ca94ca640ab82a123068a1f1c004e327d163bdf6550040d65649
Instruction ID: f82ded28891e53051dd5e1fd4ef28a41e230eea278c30d7087b836699cc08fff
Opcode Fuzzy Hash: 182d5b950e70ca94ca640ab82a123068a1f1c004e327d163bdf6550040d65649
Instruction Fuzzy Hash: 614120B5C04359DFDF14CF9AC884ADEBBB1BF88310F24811AE809AB250D774A881CF54

Function 05910A18 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 059127C2

Memory Dump Source

Source File: 00000000.00000002.2209072743.0000000005910000.00000040.00000800.00020000.00000000.sdmp, Offset: 05910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5910000_Order_List.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 998ac6aba9a19005f7974076031ceeaa18563a29affe5230da6dab1ee843353a
Instruction ID: bbb03c2d05fbf3ed9789fa701756d72f71f790d056b0b8e60706b0196572555f
Opcode Fuzzy Hash: 998ac6aba9a19005f7974076031ceeaa18563a29affe5230da6dab1ee843353a
Instruction Fuzzy Hash: 1751BEB5D103599FDF14DF9AC884ADEBBB5BF48310F24812AE819AB210D775A841CF94

Function 059125D1 Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 059127C2

Memory Dump Source

Source File: 00000000.00000002.2209072743.0000000005910000.00000040.00000800.00020000.00000000.sdmp, Offset: 05910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5910000_Order_List.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 929e2d21f0c0175c74b11fa7b5f9a22df3d2fdef76ea92c5ef65e069b82663ea
Instruction ID: 3b45aa88f335f04b58637bcb2031cbb5a5f40990f2d75d1791618d1d7e5964c7
Opcode Fuzzy Hash: 929e2d21f0c0175c74b11fa7b5f9a22df3d2fdef76ea92c5ef65e069b82663ea
Instruction Fuzzy Hash: 8541FEB5C14319DFDF14CF99C884ADEBBB1BF88310F24851AE819AB210DB74A881CF94

Function 0199590C Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 019959C9

Memory Dump Source

Source File: 00000000.00000002.2205792915.0000000001990000.00000040.00000800.00020000.00000000.sdmp, Offset: 01990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1990000_Order_List.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bec688031fc636fb60c51ce6a749496295a796fbd360fd0ad4164e3ae6752d50
Instruction ID: e34a6f781f4efe1d4e57ccfb49d4f9e415b8a22505e06352d7faa202ce577e06
Opcode Fuzzy Hash: bec688031fc636fb60c51ce6a749496295a796fbd360fd0ad4164e3ae6752d50
Instruction Fuzzy Hash: 2241EEB0C00719CBEF25CFA9C984B8EBBB5BF89314F60816AD408AB251DB756945CF90

Function 05910B6C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05914D41

Memory Dump Source

Source File: 00000000.00000002.2209072743.0000000005910000.00000040.00000800.00020000.00000000.sdmp, Offset: 05910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5910000_Order_List.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: c9f6eb73821fb89debc19f26420fdeed0cd2f2f09933f29e8ee192eb69de7022
Instruction ID: f3e039aad609b6f8b682c8e0121ccda09b491b072fff4dd81d6d671306353132
Opcode Fuzzy Hash: c9f6eb73821fb89debc19f26420fdeed0cd2f2f09933f29e8ee192eb69de7022
Instruction Fuzzy Hash: 9A4108B9900319CFDB14CF99C488AAABBF5FF8C314F248459D919AB321D774A941CBA4

Function 01994514 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 019959C9

Memory Dump Source

Source File: 00000000.00000002.2205792915.0000000001990000.00000040.00000800.00020000.00000000.sdmp, Offset: 01990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1990000_Order_List.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: dc2b723c7f35b38bedc28e63f5222d96017c6585b443525668da7def8e6dd16d
Instruction ID: 745ea399b6b2ab788885245cf9702070cb08a79472090c557405f2c4741d98da
Opcode Fuzzy Hash: dc2b723c7f35b38bedc28e63f5222d96017c6585b443525668da7def8e6dd16d
Instruction Fuzzy Hash: D441D0B0C0071DCBEF25CFA9C984B9EBBB5BF49704F60816AD408AB251DB756945CF90

Function 0199D6E0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0199DFE6,?,?,?,?,?), ref: 0199E0A7

Memory Dump Source

Source File: 00000000.00000002.2205792915.0000000001990000.00000040.00000800.00020000.00000000.sdmp, Offset: 01990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1990000_Order_List.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 41fdf7461de117b38326bcf727ce2d0d4b86c89ec6c10b73ebc1138dd50d59fd
Instruction ID: 90de301a9bf444ed32a66f12bbda9f9281264d799d680e72ee386111539b4596
Opcode Fuzzy Hash: 41fdf7461de117b38326bcf727ce2d0d4b86c89ec6c10b73ebc1138dd50d59fd
Instruction Fuzzy Hash: 9E21D4B5904349DFDB10CF9AD584AEEBBF4FB48310F14841AE918A3350D379A950CFA5

Function 0199E018 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0199DFE6,?,?,?,?,?), ref: 0199E0A7

Memory Dump Source

Source File: 00000000.00000002.2205792915.0000000001990000.00000040.00000800.00020000.00000000.sdmp, Offset: 01990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1990000_Order_List.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 90054087fa8b20bf411340c6b34698cfca2542575934a8d63e279de324df7da5
Instruction ID: 7c2c5a370f91affdc36dde381279aff7cc4628575b91ee490218a8473bfe87d6
Opcode Fuzzy Hash: 90054087fa8b20bf411340c6b34698cfca2542575934a8d63e279de324df7da5
Instruction Fuzzy Hash: A621E0B5904349DFDF10CFA9D984BDEBBF5BB48320F14851AE918A3250C378A954CF65

Function 0199BDD8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0199BDA6

Memory Dump Source

Source File: 00000000.00000002.2205792915.0000000001990000.00000040.00000800.00020000.00000000.sdmp, Offset: 01990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1990000_Order_List.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6adf7dd85cd5abd0bd90eb538110e5c2c56a5ae63f08154abd36357ec94e5f7d
Instruction ID: e76bcf6d1210263f296cf0969d01676ab423267c982b32e1777047c1e9aa94f2
Opcode Fuzzy Hash: 6adf7dd85cd5abd0bd90eb538110e5c2c56a5ae63f08154abd36357ec94e5f7d
Instruction Fuzzy Hash: 1D11C4B56002054FEF109A5EE814BAABBEDEFC4321F14806AD50EE7251CA3C9805CBA2

Function 0199BD40 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0199BDA6

Memory Dump Source

Source File: 00000000.00000002.2205792915.0000000001990000.00000040.00000800.00020000.00000000.sdmp, Offset: 01990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1990000_Order_List.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8aec9be04d7c9c9920235ed8de45a7742dd0534e14d67d0cdbfe751ce7590c6a
Instruction ID: e5b0025ddeb6b7bb3aa0ba9384747c05bf9f05e2e2cf5c36ef3e2a6f23b6a07d
Opcode Fuzzy Hash: 8aec9be04d7c9c9920235ed8de45a7742dd0534e14d67d0cdbfe751ce7590c6a
Instruction Fuzzy Hash: F3110FB6C003498FDB10CF9AD444BDEFBF8AF88224F14841AD929B7200D379A545CFA1

Function 0586BDE8 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209041427.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b270a8cb0a1e4c3660440a8f203f6d0833b5e0952d700463b3dfdb166918264c
Instruction ID: 85cc18c980b43cd1ce1f321c0d6fd67af9efcfd947590f33bff3617a943da7cc
Opcode Fuzzy Hash: b270a8cb0a1e4c3660440a8f203f6d0833b5e0952d700463b3dfdb166918264c
Instruction Fuzzy Hash: 74613835B101199FCB14DF69D858AAE7BF2BB88715F148069E912EB3A0DB71DC41CBA0

Function 0586C6AF Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209041427.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bfce507183190557cb8d360b78cfe01414655f56c14d80ffc1f28d63533f192
Instruction ID: 28f1a5e480c2fa28f6c286c07b04b3590479479279aef1fc3033a39b0f7de2c4
Opcode Fuzzy Hash: 5bfce507183190557cb8d360b78cfe01414655f56c14d80ffc1f28d63533f192
Instruction Fuzzy Hash: CE410434A0011ADFDF159F69D859AAE7BB7FB88311F148029FD0697290DB349C56CB90

Function 0586B9F1 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209041427.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1061083f3b35e5efed23e3969ca2a03ccc0657accd9eeae0aad776ba8e89ff
Instruction ID: 7ef825124286b00a2ea78b658be88bef2387f6385cc818faba9bba403048e956
Opcode Fuzzy Hash: aa1061083f3b35e5efed23e3969ca2a03ccc0657accd9eeae0aad776ba8e89ff
Instruction Fuzzy Hash: EC21C234A14209AFEB55ABB49C05BAE7F77EBC9301F11C465EA05DB280DE305E0587A5

Function 016AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204911157.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ad9bcb96e91a127e66b6c2340a0722f839f92afb2b868780f4772c94df09b3b
Instruction ID: 3ea4a13adf87e39311ee1a7db18a4a610238bae81d94a0a2e05848860c4e429e
Opcode Fuzzy Hash: 8ad9bcb96e91a127e66b6c2340a0722f839f92afb2b868780f4772c94df09b3b
Instruction Fuzzy Hash: 9F214FB1244200EFCB14DF68D9C0B26BBA1FB88314F60C56DE90A0B792C37AD807CE61

Function 016AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204911157.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1bb01eb59f9037b87ee725b9db3b3fc09484075633a9e108201753365ad8eb
Instruction ID: 319d035fbe3df74b35a923dead37d0e83d33363f15c0147dc7b8c2b1466ed60b
Opcode Fuzzy Hash: eb1bb01eb59f9037b87ee725b9db3b3fc09484075633a9e108201753365ad8eb
Instruction Fuzzy Hash: 59213475504200EFDB05DF94D9C0B2ABBA1FB84324F60C5ADEA0A4B752C77ADC06CE61

Function 0586BA00 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209041427.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a34d5af5a1aad5d4a25f68fe9ddc385ac9249c3a50a3aef8d63e1e8ef6e62be
Instruction ID: 59f01ab1fcdf9124e08f82dceec46f1e8fe7af148cb0781367a78e324ae590b8
Opcode Fuzzy Hash: 5a34d5af5a1aad5d4a25f68fe9ddc385ac9249c3a50a3aef8d63e1e8ef6e62be
Instruction Fuzzy Hash: 7B21A134B14208AFEB55AB74DC06BAE7FB7EBC5602F10C466E905DB280DF305E0987A5

Function 0586C210 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209041427.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07adf014f4302aaf4b5f7a6591d9fadea1563dd08811312c6b010f34b2cba2f
Instruction ID: 747a89f0d7cc6ca40a7977133bad4a3aa2e7a8eb44c7caa0b669a9b7a8bbe550
Opcode Fuzzy Hash: a07adf014f4302aaf4b5f7a6591d9fadea1563dd08811312c6b010f34b2cba2f
Instruction Fuzzy Hash: 60213C75A042468FCB14DFE8C898A6EBBF1BF89214F1540A6ED45DB361D730DC81CB61

Function 016AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204911157.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c009bc0a7e273c1b06584fc793d5240b01d9b988b0e2c8c0afdd91c8296e955c
Instruction ID: f23d6ceaa8eeb7f6f5cc8c58f91ddaf79f4fe5e1fa9e10feba209a61b6b1cefe
Opcode Fuzzy Hash: c009bc0a7e273c1b06584fc793d5240b01d9b988b0e2c8c0afdd91c8296e955c
Instruction Fuzzy Hash: 382180755483809FCB02CF54D994B11BF71EB46314F28C5DAD8498F6A7C33A9846CB62

Function 0586BDDA Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209041427.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c76f2dec2f44e8dbee1732e1ec8d6ee06158c8a37b90a379db7820d0016b4c5
Instruction ID: 1d911a8648a7e0d9b23be2b97250898a0069d800b58d7847005e3ca86693eae8
Opcode Fuzzy Hash: 9c76f2dec2f44e8dbee1732e1ec8d6ee06158c8a37b90a379db7820d0016b4c5
Instruction Fuzzy Hash: 90211235A00109EFCF04DFA4E949AED7BB2FB88311F144069EA02BB260DB319D55CBA0

Function 016AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204911157.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: f73afae1765df08e42817945fb3ce3860f6bf8efaf8ac82af146eaf65075a4dc
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: BA11BB75504280DFCB02CF54C9C4B15BBA1FB84224F24C6A9D9494B7A6C33AD80ACF61

Function 0169D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204800401.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_169d000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acd8d6ca330acea392ce828ec9bde825755f51ea586aa7828804addd7f2c7390
Instruction ID: 17156d9894ef7d94c0bdb71fa5894831eb39e7ab93f1c26cd5b2ecdab1cbb733
Opcode Fuzzy Hash: acd8d6ca330acea392ce828ec9bde825755f51ea586aa7828804addd7f2c7390
Instruction Fuzzy Hash: 5701F7710043809BFB104EA9CDC4B3ABF9CDF41274F08C52AEE081E282C7799441CA71

Function 0169D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204800401.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_169d000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1fe5c37bd290ba6c6ec21d8239f7bcbf03efbe5c4da45bf877327cdf26be19b
Instruction ID: 599ed3f3fb41612b9ea52aabef7939008c35dad82669b6692c214b891786dee7
Opcode Fuzzy Hash: e1fe5c37bd290ba6c6ec21d8239f7bcbf03efbe5c4da45bf877327cdf26be19b
Instruction Fuzzy Hash: EEF062714053849FEB118E59DDC8B66FF9CEB81634F18C55AED085E286C3799844CBB1

Function 0586C1FF Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209041427.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62d92a6e66d4d56e422d3890169cd9fe49921826af56032766de30042795045
Instruction ID: e1b2943c428609ca73983d14d226c7f4a28453f3c9cca093bbb1e7ce860c161d
Opcode Fuzzy Hash: b62d92a6e66d4d56e422d3890169cd9fe49921826af56032766de30042795045
Instruction Fuzzy Hash: 4FE09235601105EADF206EE1AC886AB7F75FB99265F008432ED0596241DB30895686A0

Non-executed Functions

Function 05910E08 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209072743.0000000005910000.00000040.00000800.00020000.00000000.sdmp, Offset: 05910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5910000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f298bbc270ce527744a09b7fe0fb07c71a511429c46b5611b5c8b2d345fbddec
Instruction ID: 1d166469f0e5bbaff5e6a07d40aebc4b98c18c5773f1b141411bc90ddec455c1
Opcode Fuzzy Hash: f298bbc270ce527744a09b7fe0fb07c71a511429c46b5611b5c8b2d345fbddec
Instruction Fuzzy Hash: 601297B0401745EAD330EF65FC4C199BBB1B766324BB0E609D2616F2E9EBB8154ACF44

Function 0586A810 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209041427.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934cc01aa7aedf5eaf91475c6f01e86f49c41a68370b7041305d14c8f89f6f22
Instruction ID: 9a4db95a8e09219b11463dc70d3b668d1a1ff690a59a49a2c8729a12ddc07436
Opcode Fuzzy Hash: 934cc01aa7aedf5eaf91475c6f01e86f49c41a68370b7041305d14c8f89f6f22
Instruction Fuzzy Hash: B8D1E435D20B5ACACB00EB64D9916E9B7B5FFD9300F20979AE40937210EF746AC5CB91

Function 0586A820 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209041427.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53fbeb07634fbb4ffdf29731f3b645c091f3125adf983cdd80c810eb19fd801
Instruction ID: d28e7d2703bf311384df52bf866bb817d090d48d4d06ade80812428d92e75b45
Opcode Fuzzy Hash: f53fbeb07634fbb4ffdf29731f3b645c091f3125adf983cdd80c810eb19fd801
Instruction Fuzzy Hash: 07D1E435D20B5ACACB00EB64D9916A9B7B5FFD9300F20979AE40937210EF746AC5CB90

Function 05910040 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209072743.0000000005910000.00000040.00000800.00020000.00000000.sdmp, Offset: 05910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5910000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c09b57e4126c742e8a294fdba6ec282d037d7483b1f0b85200f6c2852f663c4d
Instruction ID: de411c297f792370f50cc243a01d6311a33886ac655de30c6c980231cfcc3060
Opcode Fuzzy Hash: c09b57e4126c742e8a294fdba6ec282d037d7483b1f0b85200f6c2852f663c4d
Instruction Fuzzy Hash: 6CA18036E0021ACFCF15DFB4C8445AEB7B6FFC5300B15856AE806AB265DB32E946CB40

Function 05910DFB Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209072743.0000000005910000.00000040.00000800.00020000.00000000.sdmp, Offset: 05910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5910000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2e5b08160ea49096351542f12addaadf007263ac45ce69bcc9ba3cd0d5898d
Instruction ID: a38177995d2c083f3d2f2dd1583e1add23511d079b9123277d8f7bbab162c58c
Opcode Fuzzy Hash: 6a2e5b08160ea49096351542f12addaadf007263ac45ce69bcc9ba3cd0d5898d
Instruction Fuzzy Hash: 8CC1ECB0401745EAD720EF64FC4C199BBB1BBA6324FB0E719D1616B2E9EBB4144ACF44

Analysis Process: Order_List.scr.exePID: 5900, Parent PID: 1548COMMON

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	47.4%
Total number of Nodes:	19
Total number of Limit Nodes:	0

Executed Functions

Function 05D87D90 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8acce9d328aa225512fec10eaa53e98f48e1633470b11aca61fad170744207
Instruction ID: 4d8e1070132bde9b84d01dd536f582ddbe91a4ff282c39a2013db6207115df2d
Opcode Fuzzy Hash: 9e8acce9d328aa225512fec10eaa53e98f48e1633470b11aca61fad170744207
Instruction Fuzzy Hash: 32F1F574E01218CFDB14DFA9D884BADBBB2FF84304F5482AAD448AB355DB719986CF50

Function 014B9858 Relevance: .9, Instructions: 858COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c136ae7cb421da0d2878cf5714a8b41edd4d227d4b9a7bee174b642a0763f4a
Instruction ID: 376f7d144e3c0592ed648481c0b126377860051971ab268052afee5660e9fef3
Opcode Fuzzy Hash: 6c136ae7cb421da0d2878cf5714a8b41edd4d227d4b9a7bee174b642a0763f4a
Instruction Fuzzy Hash: 48726175A00209DFCB15CF68C984AEEBBF2FF88314F25855AE9059B3A1D731E941CB60

Function 06EA11A0 Relevance: .7, Instructions: 745
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5da495ed607ec66bbb0856a7bc89cb064cb2175986241a0046a45e9df31759
Instruction ID: 8ca4665a64fcda03065230506ca5fbace3d7e7f353040e350732db70ccfcc402
Opcode Fuzzy Hash: 8c5da495ed607ec66bbb0856a7bc89cb064cb2175986241a0046a45e9df31759
Instruction Fuzzy Hash: 60826174E01228DFDB65DF69D894BDDBBB2BB89300F1081EA980DA7261DB745E85CF40

Function 014BF007 Relevance: .7, Instructions: 713
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b086660635cbf2a061fffcea6ac58aa377fce4751910dfe3c230ba043f94261b
Instruction ID: 32c2c043ad8466d2ba62d7c73741305cf99f7c75e181b85447198312571d9ed1
Opcode Fuzzy Hash: b086660635cbf2a061fffcea6ac58aa377fce4751910dfe3c230ba043f94261b
Instruction Fuzzy Hash: F672BF74E012698FDB65CF69C984BDDBBB2BB49300F1491EAD40CA7261DB349E86CF50

Function 014B6108 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 459c70048325360c6cea163381cef64681ef0389ecde36a89a46886fbb68a46d
Instruction ID: f567363c1cb40881ae59faceabc5da3efe1fa1dc672024de340ed4113f8c48e4
Opcode Fuzzy Hash: 459c70048325360c6cea163381cef64681ef0389ecde36a89a46886fbb68a46d
Instruction Fuzzy Hash: 40128170A002198FDB18DFA9C894BAEBBF6BF88300F15856AE505DB3A5DB349D45CB50

Function 014B6730 Relevance: .5, Instructions: 452
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1a444c3ecbbad36b58da8d19780a5853887aae9a970df3a7de185d7e3065633
Instruction ID: d0f63a9b29f0fb2e9ffa7c068b3bf01840f96579d30cfd0701e6bc21c4b558c2
Opcode Fuzzy Hash: c1a444c3ecbbad36b58da8d19780a5853887aae9a970df3a7de185d7e3065633
Instruction Fuzzy Hash: DC023971A00219DFDB15CFA9C984AEEBBB6FF89304F16846AE505AB271D730D941CB60

Function 014B3578 Relevance: .4, Instructions: 435
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1366489fe4abbf87a6199c8dd04d158490d6dc61191e7c522132b502f27eae3
Instruction ID: 0bd70336dba0ca0315547eaa864ef56c85670f8f456d389b8d823666855bf2dc
Opcode Fuzzy Hash: c1366489fe4abbf87a6199c8dd04d158490d6dc61191e7c522132b502f27eae3
Instruction Fuzzy Hash: AFF15D74E012489FDB18DFB6D4945AEBBF2FF88710B14856EE806AB364DB359C02CB51

Function 014BB328 Relevance: .4, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d58c0fa1424a3289f8707e7bd8fdfad1869e7c6c818ea50e127895f008a1d41
Instruction ID: c296c8fc0c9ec7a5698d4cc3e3def252a7b456277786b7ef8ddc8b19816f90d0
Opcode Fuzzy Hash: 7d58c0fa1424a3289f8707e7bd8fdfad1869e7c6c818ea50e127895f008a1d41
Instruction Fuzzy Hash: 11F1FC75A00618CFDB15CFA9C994A9EBBB1FF49310F15816AE809AB372DB349C41CF61

Function 06EA8608 Relevance: .3, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eeb4bf031f357c5c72b5540ae55442146bd892aca38ab5461bb66456e02f745
Instruction ID: 3b9b855b163eb38256dda9a450428cfe7ccd3587e22789335280fcefcc594ce4
Opcode Fuzzy Hash: 9eeb4bf031f357c5c72b5540ae55442146bd892aca38ab5461bb66456e02f745
Instruction Fuzzy Hash: 65E1BF74E01218CFEB64DFA5D944B9DBBB2FF88304F2081AAD408AB395DB755A85CF50

Function 06EAB6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec5e97df869d123a80f33e06a1f95f790ddbffc743ddc75a690baccd9ccfc94
Instruction ID: 3e3ef7421f94380d5e03998e6e5e8ff20053eb92a31ac5a67c787faf499a5f4d
Opcode Fuzzy Hash: 9ec5e97df869d123a80f33e06a1f95f790ddbffc743ddc75a690baccd9ccfc94
Instruction Fuzzy Hash: 36A1A474E012188FEB68CF6AD944B9DBBF2BF89300F14D1AAD40DA7250DB745A85CF10

Function 06EAD670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32966f753e247426a11e65ea505002860eebd12a5f019c3695029e36e6ab1c16
Instruction ID: 23a2d42dd996e21557faf4cc6cb6860bd7311f971e66ea6ad278bf6bc0953dae
Opcode Fuzzy Hash: 32966f753e247426a11e65ea505002860eebd12a5f019c3695029e36e6ab1c16
Instruction Fuzzy Hash: 00A1A474E012188FEB68CF6AC944B9DBBF2BF89300F14D1AAD40DAB254DB745A85CF50

Function 06EAA408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c13f5558b8cb969512052205b05eca7921788e83c102e19a44dd49dc9f4ca2
Instruction ID: f5549332c43af277d3945b95db89e6930ae8f4bd5eeb0d23e4634201a69cd588
Opcode Fuzzy Hash: 67c13f5558b8cb969512052205b05eca7921788e83c102e19a44dd49dc9f4ca2
Instruction Fuzzy Hash: 29A1A275E013188FEB68CF6AC944B9DBBF2BB89300F14D1AAD40DA7254DB745A85CF50

Function 06EABD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcdf9b8787d25a23c117fda2486dc5c7b57d82006974043d7ed1a611dea553be
Instruction ID: 54e99beb205a9f02073bcf259b083db1cecba80e49cf7b5573c51d78496f18fa
Opcode Fuzzy Hash: bcdf9b8787d25a23c117fda2486dc5c7b57d82006974043d7ed1a611dea553be
Instruction Fuzzy Hash: CAA1B374E012288FEB68CF6AC944B9DBBF2BF89300F14D1AAD40DA7255DB345A85CF51

Function 06EAC388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2075cff7fabbd52b931df649155fe4df6685abe50add467aa96ca3f81aff56e
Instruction ID: 1395ce0ff7249b6410c821eff4e1d711e1bc0275f21ac5a8c3bcdeb254e3d590
Opcode Fuzzy Hash: a2075cff7fabbd52b931df649155fe4df6685abe50add467aa96ca3f81aff56e
Instruction Fuzzy Hash: 62A1B375E01228CFEB68CF6AC944B9DBBF2AF89304F14D0AAD40DA7250DB745A85CF50

Function 06EAC9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0aba7b43db1520ae8d57f5d2b4d4ed4eebd3d7fc76db8dc3272c4b766091c66
Instruction ID: 5af7e08151cdd93adba2fce8cc79dcc5f31ec9ccea218292275df61cca34bc2f
Opcode Fuzzy Hash: f0aba7b43db1520ae8d57f5d2b4d4ed4eebd3d7fc76db8dc3272c4b766091c66
Instruction Fuzzy Hash: 4CA1B475E012188FEB68CF6AD944B9DBBF2BF89300F14D1AAD40DAB254DB345A85CF50

Function 06EAAA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0542d39a070839d7ea6cb35a3b991c42bd440b30eea7ecee6edff75934ac08
Instruction ID: c86497961232ae638d0f127bb1ca5e8c33fa84ba4713136ec0872a1c7439ca96
Opcode Fuzzy Hash: 8f0542d39a070839d7ea6cb35a3b991c42bd440b30eea7ecee6edff75934ac08
Instruction Fuzzy Hash: A5A19375E013188FEB68CF6AC944B9DFBF2AF89300F14D1AAD409AB254DB745A85CF50

Function 06EAB0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67919a6456698bef5c6b2c930b4c22387e67e7eb0b29402b25d12a6420ef00f
Instruction ID: 2c0f5f4d4e1bba0f57790d7c59cdc4fd4ce8b3d621e8a58a1a826b9a0e610b97
Opcode Fuzzy Hash: a67919a6456698bef5c6b2c930b4c22387e67e7eb0b29402b25d12a6420ef00f
Instruction Fuzzy Hash: 3DA1A374E01228CFEB68CF6AC944B9DBBF2BF89300F14D1AAD409A7255DB745A85CF10

Function 06EAD028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3128a8401e372ba6f4e9ecb2d72e2df4b753dcf9a4ec30c16fff506c94dfa645
Instruction ID: 6a5b28c3256286c2506728c24777afc59012984413815de1be30ad596fe0057f
Opcode Fuzzy Hash: 3128a8401e372ba6f4e9ecb2d72e2df4b753dcf9a4ec30c16fff506c94dfa645
Instruction Fuzzy Hash: 4AA1A175E012288FEB68CF6AC944B9DFBF2AF89300F14D1AAD40DA7250DB345A85CF50

Function 014BC190 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7604c088efeb5437b336b147afe14eee3ed952eb15d45a3c6cb41baceb79dc61
Instruction ID: 068fb1eedcc74892062457969c67cf130311ac283d4c8127525ca12a4252de3a
Opcode Fuzzy Hash: 7604c088efeb5437b336b147afe14eee3ed952eb15d45a3c6cb41baceb79dc61
Instruction Fuzzy Hash: D391A474E01218CFDB54DFAAD994ADDBBF2BF89300F14906AE409AB365DB709942CF50

Function 014BC470 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63837ff74afffb444d913842743961e2604970fbdd49c9fd7afab3bb6804cedd
Instruction ID: 86549c8e0b405080cba6ba2731edb276f6e506728e6c2effc3db5a1de9863e2a
Opcode Fuzzy Hash: 63837ff74afffb444d913842743961e2604970fbdd49c9fd7afab3bb6804cedd
Instruction Fuzzy Hash: FE91C574E00218CFDB14DFAAD994A9DBBF2FF89300F24916AD819AB365DB705942CF11

Function 014BBBD3 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a54e1f8e77a065de5d61faeed4bd984c6aaf3bd11e77e1702f76845fdbf72850
Instruction ID: d31ea6f08be62f8a9b799b99fb6486d8219078b98a333387a92dcb04917736c0
Opcode Fuzzy Hash: a54e1f8e77a065de5d61faeed4bd984c6aaf3bd11e77e1702f76845fdbf72850
Instruction Fuzzy Hash: 6291A474E00218CFDB14CFAAD894A9DBBF2FF89300F14816AD409AB365DB749942CF21

Function 014BC754 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f7c7429ea7ce0ae1b209e8c348581ba1120b9da725f78f407c7d39d7d89cde
Instruction ID: 1b84bbe04b1f7f23e389448c5eb9ae8c4f299719884657994155fa17fd9325a0
Opcode Fuzzy Hash: 21f7c7429ea7ce0ae1b209e8c348581ba1120b9da725f78f407c7d39d7d89cde
Instruction Fuzzy Hash: A681C774E00218DFEB14DFAAD994A9DBBF2BF89300F14906AE419AB365DB705942CF50

Function 014BBEB0 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 853f932f33786bed08098db740b89dc9d8466bfbbeebe280100beaead821e12d
Instruction ID: 9bcde2e6b0c1efa805574720f46239223c0f4265b6a0e70052a1381a86287047
Opcode Fuzzy Hash: 853f932f33786bed08098db740b89dc9d8466bfbbeebe280100beaead821e12d
Instruction Fuzzy Hash: 1F81B574E00218CFDB54DFAAD984A9DBBF2FF89300F14806AD409AB365DB749981CF61

Function 06EA8C57 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d1f58ce947100a1521c413ec3bf041e190e8b5d245694fc096c1a303edd7dc
Instruction ID: f2fe9defce722dfedb62664b0c481e2a7dd6a72e2ccbac5dcf7ceef67b748145
Opcode Fuzzy Hash: 64d1f58ce947100a1521c413ec3bf041e190e8b5d245694fc096c1a303edd7dc
Instruction Fuzzy Hash: 4281DE74E01318CFDB58DFAAD844BAEBBB2BF89300F20916AD419AB394DB305945CF50

Function 014BCA34 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a1c3261a4de64752c854bed697aa60fd697c48ff7a766734cb525a8cbd6ec2
Instruction ID: e951df622965ce543e85934bf8ff521c441cfedea7abe0e9fb50c227cbb3a10c
Opcode Fuzzy Hash: 39a1c3261a4de64752c854bed697aa60fd697c48ff7a766734cb525a8cbd6ec2
Instruction Fuzzy Hash: 01819674E00218CFDB14DFAAD994A9DBBF2BF88300F14C06AE819AB365DB745942CF51

Function 014B4AD9 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5593b93cc90ac83bfe311cf0c0567dab1dab525917e939c6a504c4794e9a7b67
Instruction ID: 85f4bcae6f0d9a5e5ef9520ce073463783d98bcb15688893ad751790a2b24c2f
Opcode Fuzzy Hash: 5593b93cc90ac83bfe311cf0c0567dab1dab525917e939c6a504c4794e9a7b67
Instruction Fuzzy Hash: BF81A474E00218DFDB54CFAAD994A9DBBF2FF88300F15806AD819AB365DB749945CF10

Function 06EA1191 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e49646ead60ac12c0a97a45b90d0b00710a90ce84d1fab0db3e1e60f2ae27cf
Instruction ID: bf0490657a7d703c1e07bd01b5f19cbeceb3e5d10d64c85d3f29ee818f738d15
Opcode Fuzzy Hash: 6e49646ead60ac12c0a97a45b90d0b00710a90ce84d1fab0db3e1e60f2ae27cf
Instruction Fuzzy Hash: CE819F74E412299FEB65DF69DC54BEDBBB2BB89310F1081EAD819A7250DB305E818F40

Function 06EAAA4F Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450829a26deb090f1b4f37d0fb4045444e770a820234c149426756ae87dac2c3
Instruction ID: 0e2da9e74709f2e97ab49f324f52122a8ec9f8ad6c6881003709752df294f7c8
Opcode Fuzzy Hash: 450829a26deb090f1b4f37d0fb4045444e770a820234c149426756ae87dac2c3
Instruction Fuzzy Hash: FA71A470E01618CFEB68CF6AC944B9DFAF2AF89304F14C0AAD40DA7254DB345A85CF51

Function 06EAD027 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ea1281eb718322f906682aeae2370a5716a86788fe65698c602a6a603d0776
Instruction ID: 3a6bc601e332ac280b9c7e576009ff4afeef23199a4c25a67239d224a494b147
Opcode Fuzzy Hash: 10ea1281eb718322f906682aeae2370a5716a86788fe65698c602a6a603d0776
Instruction Fuzzy Hash: 8F718271E01628CFEB68CF6AC944B9DFAF2AF89300F14C0AAD40DA7254DB345A85CF51

Function 06EA85FB Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9198f18f2774cbe542d31595f04ff7a755d318f79ccc5f7e5e54b53589e410d6
Instruction ID: 4d2efc8335f56faf6731cfcc5cc8be21d42c6c3a1863374e949199ae5c8e9a41
Opcode Fuzzy Hash: 9198f18f2774cbe542d31595f04ff7a755d318f79ccc5f7e5e54b53589e410d6
Instruction Fuzzy Hash: 6641B6B4D012088BEB58DFAAD8447DEBBB2BF88304F14D16AC418BB294DB755946CF64

Function 06EAC9D3 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6306ff6ced642abed4340f0a2272c70303aea8158f3c44e941916cba971eea66
Instruction ID: dacacd04c1b7a1eac5cc0f88613785d47f912382be2839008e5596e3b9783ac7
Opcode Fuzzy Hash: 6306ff6ced642abed4340f0a2272c70303aea8158f3c44e941916cba971eea66
Instruction Fuzzy Hash: 0D419971E016188BEB58CF6BDD447DAFAF3AFC8304F14D0AAC50CAA264DB740A858F51

Function 06EAA3F8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f34aab404f849e27a8767014b52213382f87dce0fa8a263315777a8e6deafa
Instruction ID: 5d807608006c13b01dacf696e99fa5887d0f81a20438f1829c9f2356828826db
Opcode Fuzzy Hash: b4f34aab404f849e27a8767014b52213382f87dce0fa8a263315777a8e6deafa
Instruction Fuzzy Hash: AE419DB5E016188BEB58CF6BC9457CAFAF3AFC9310F14C1AAD50CA6264DB740A85CF51

Function 06EAB6E3 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd502983385c774addbf9194b40982a579dc30e437184b14b43200497870e40e
Instruction ID: 11b4f81c82669b8a8fc825e9a942a637ee5244c1b61f68e3c1459e0ae3038e1b
Opcode Fuzzy Hash: fd502983385c774addbf9194b40982a579dc30e437184b14b43200497870e40e
Instruction Fuzzy Hash: D54158B1E016188BEB58CF6BD9457CAFAF3AFC9304F14C1AAC50CA6264DB750A85CF51

Function 06EAD66B Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a71c34fe4c890497ba0d65826c63a570992f3d6cc25418e8b6390a07561ff51
Instruction ID: 5a2c23043b4f95524e13f6b789f4342c52971a7097ae7c231ecc6e7124eff3a6
Opcode Fuzzy Hash: 0a71c34fe4c890497ba0d65826c63a570992f3d6cc25418e8b6390a07561ff51
Instruction Fuzzy Hash: 1E4149B1E016188BEB58CF6BDD457CAFAF3AFC9304F14C1AAC50CA6264DB740A858F51

Function 06EABD37 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0fffb4c50faabd63dcf4c53012f58b2a72ad10bb1cd729ebc6700d096a2071
Instruction ID: 165f9164dff15476cd3bfcccf44334be330ac4f35e62df1ba905d6e7106aa47a
Opcode Fuzzy Hash: aa0fffb4c50faabd63dcf4c53012f58b2a72ad10bb1cd729ebc6700d096a2071
Instruction Fuzzy Hash: C74148B1E016188BEB58CF6BD9457DAFAF3AFC9304F14C1AAC50CA6264DB740A858F51

Function 06EAC387 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87afa4c0e36076a2a5818bdbc06d938fc9fd1532804073d2c9dad9056378da57
Instruction ID: 1a9b11847b61b1c16c43079e71350925bfcdd22f0f54d5889fd95086e8fd5b63
Opcode Fuzzy Hash: 87afa4c0e36076a2a5818bdbc06d938fc9fd1532804073d2c9dad9056378da57
Instruction Fuzzy Hash: 6D4148B1E016188FEB58CF6BD9457DAFAF3AFC9304F14C1AAC50CA6264DB740A858F51

Function 05D88174 Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 05D882B6

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4b04b7cef68cf683734b96b1eac37bb5bb8166c0a5d7a6ad180462b723976c0a
Instruction ID: 71f70a1088d379b803033b06d542ce6d6bce45d74c37a612d0bc97c0834d12de
Opcode Fuzzy Hash: 4b04b7cef68cf683734b96b1eac37bb5bb8166c0a5d7a6ad180462b723976c0a
Instruction Fuzzy Hash: B2116A74E002199FDB04EBA8D884FBDB7F6FB88304F948666E844E7251D771E942DB60

Function 014B77F0 Relevance: .7, Instructions: 702
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9418bf5968b22702287f437529e6652c5ae707e9d6e96fd104fd3ad6e327a2e1
Instruction ID: 085a270f863b18474db516280871d06075e751e37a9c62952cc67bd6dc916367
Opcode Fuzzy Hash: 9418bf5968b22702287f437529e6652c5ae707e9d6e96fd104fd3ad6e327a2e1
Instruction Fuzzy Hash: C9522134A00219CFEB549BE5C860B9E7B72FB94340F1080AED60A6B365DF359E85DF61

Function 014B6E58 Relevance: .5, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e455b254bcb231da3c200c08b77710ffd6bfc6cd06e9bce05771a7e52d357c6
Instruction ID: 58fd7040d4a5291312bfd1442f8f4416803589e44b5b4226fe751733cd365896
Opcode Fuzzy Hash: 4e455b254bcb231da3c200c08b77710ffd6bfc6cd06e9bce05771a7e52d357c6
Instruction Fuzzy Hash: A3123A30A00209CFDB19DF69D984A9EBBF2FF88315F15855AE9059B3A1DB31ED41CB60

Function 014BA818 Relevance: .4, Instructions: 415
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e45052a0eb7e1878c5c9870209acf2f9477b00a543956089ac40bf460f4745
Instruction ID: b1c4c30f08f5a85f25d150391240b50ac731002847d4896d0a52babe56ed943e
Opcode Fuzzy Hash: 13e45052a0eb7e1878c5c9870209acf2f9477b00a543956089ac40bf460f4745
Instruction Fuzzy Hash: 9BF11C75A001158FCB15CF6DC9C49ADBBF6BF88310B2A845AE515AB371DB35EC81CB60

Function 014B0C8F Relevance: .4, Instructions: 406
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f49f6069e8d80f05f4c477e86304356bcd44d08e2d81260e632c772de830e2
Instruction ID: ada1af844a63027d8d203c3fbe221d0b443f55f404b88b7d468e1ff18af7430a
Opcode Fuzzy Hash: 61f49f6069e8d80f05f4c477e86304356bcd44d08e2d81260e632c772de830e2
Instruction Fuzzy Hash: 1422017890021ACFCB54DFA6E994A9DBBB1FF88301F1081A9D919AB354DB345E85CF41

Function 014B0CA0 Relevance: .4, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbacbc65c678db3ca797c04946f872f1060c9c2210a5b84af7125576d9439966
Instruction ID: 5403337347be1af745450ef353346088d8aece2dc08139c7d1b3e8d6d9a8d9c1
Opcode Fuzzy Hash: cbacbc65c678db3ca797c04946f872f1060c9c2210a5b84af7125576d9439966
Instruction Fuzzy Hash: 65220078A0021ACFCB54DFA6E994B9DBBB1FF88301F1081A9D919AB354DB345E85CF41

Function 014B87E9 Relevance: .3, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe894e1e2bfa4647ddd234f84956a3f8c5c54ffea76d6874505f368f84557d13
Instruction ID: 3445184a05096c8b709ca0ee670c3c1b86491851014a36cf6fb5e43be972b83d
Opcode Fuzzy Hash: fe894e1e2bfa4647ddd234f84956a3f8c5c54ffea76d6874505f368f84557d13
Instruction Fuzzy Hash: 1EB10E707145028FEB159B3DC998BBA3A9EEF85604F1554ABE602CF3B1EE35CC428761

Function 014B56A8 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98fd0c2de351699f53e559410109cf755197143147fb1ed9fde1e64212099d0d
Instruction ID: 829ecb514e0685332ae3e20cef58e6a9b4516b7e158995b917e0b86faa863127
Opcode Fuzzy Hash: 98fd0c2de351699f53e559410109cf755197143147fb1ed9fde1e64212099d0d
Instruction Fuzzy Hash: C79190307042458FDB1A9F79D894BAEBBA2BFC9700F14446AE5068F3A5DB748D05CBA1

Function 014B5C08 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ab10b31151c06133c9ded3885a634ea4e6aa41cc7b50d9962891604035f766
Instruction ID: 255266295fb9b4d8e524005c158a81a02f0cda407eb1b09d7dd3486d7dbe8f5c
Opcode Fuzzy Hash: 41ab10b31151c06133c9ded3885a634ea4e6aa41cc7b50d9962891604035f766
Instruction Fuzzy Hash: 6F817C35A00505CFDB15DFADC4C8AAAFBB6BF89210B14826AD505DF371DB31E842CBA1

Function 06EA9510 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11b2cc8cb2dbfc721451e4231ec798e21ed2d9912fbfc3df9b29fec1606b2d1
Instruction ID: 6ed4bfc8eb3ab97f6b05729b633ce972f6b734fae842f1955d189115819b6ae4
Opcode Fuzzy Hash: d11b2cc8cb2dbfc721451e4231ec798e21ed2d9912fbfc3df9b29fec1606b2d1
Instruction Fuzzy Hash: 76719F31F103198BDB59DFA5C8506AEBBB2AFC8750F14842AE805BB380DF34AD46C791

Function 014B7438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b3e6a3a589129e7b78b8ea943970464a4f884e9293e9e19a76465aff2d7aa9
Instruction ID: 8ad312b10fa056d68f0b0f008c36c4023ee9f4699bdaf81f827d2d2f3c62f856
Opcode Fuzzy Hash: 30b3e6a3a589129e7b78b8ea943970464a4f884e9293e9e19a76465aff2d7aa9
Instruction Fuzzy Hash: 88711B347002458FDB15DF2DC4D8AAA7BE5AF89252F1500AAE906DB3B1DB74DC42CBA0

Function 014BCEC7 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c7b46c11d9a5fbb951508030617aa991fd4e0e76c1407a2d5f44b1f38ac12f
Instruction ID: 4f4c7d694892bd1f4f195af2aed423550baa706df212f65928f2893990357fd6
Opcode Fuzzy Hash: 55c7b46c11d9a5fbb951508030617aa991fd4e0e76c1407a2d5f44b1f38ac12f
Instruction Fuzzy Hash: 8551B0700213038FC3603FB0A1EC56ABBA1FB4F36B701AE24E50E85429AB706659CF91

Function 014BCED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d60e5aee9b9152c71427d92e6e8ca639707e75356889b38cd9516c05868eefb
Instruction ID: 6d8dc86cf21d48126615da92b01f7ac475c8e8e831510c33b22535ce6cda8041
Opcode Fuzzy Hash: 6d60e5aee9b9152c71427d92e6e8ca639707e75356889b38cd9516c05868eefb
Instruction Fuzzy Hash: 8751A270021303CFC3203BB0A1EC56ABB65FB4F36B7016E24F54E85429AB706655CF91

Function 06EA249D Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707ea1cd45d9719cbc49450ab369f51606c9d135b4acf42ae8f273ab39ab539d
Instruction ID: a6da88c56dfdad4b1b690cb68483357af445cd42db9cb8dbd8c3073e937c4bc7
Opcode Fuzzy Hash: 707ea1cd45d9719cbc49450ab369f51606c9d135b4acf42ae8f273ab39ab539d
Instruction Fuzzy Hash: 8C51BE35B102168FDB48DF79D85896E77F2BF88610B198169E505EB3A4EA30ED01CB91

Function 014BE2D9 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e23dfd47c42ea6ac6f57c5efbd9f0ee2943c581de6ba792b02843c7c0c59e5
Instruction ID: c016581e904448173d547144a395209d92c0d56d6e6e9209547ee4217b49a657
Opcode Fuzzy Hash: 92e23dfd47c42ea6ac6f57c5efbd9f0ee2943c581de6ba792b02843c7c0c59e5
Instruction Fuzzy Hash: FB61ED74D01218CFDB14DFE5D894AEEBBB2FF88304F209529D805AB265DB795A85CF40

Function 014BCD10 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f9895dd7e42ae954ff66d8e4c6c34e1a380ef82262af264636edd5ee4fa7d7
Instruction ID: 28288d2e2b6c52bc34de3c3d8e73bd83c065f4249f24a6543e642701fddfe57f
Opcode Fuzzy Hash: e6f9895dd7e42ae954ff66d8e4c6c34e1a380ef82262af264636edd5ee4fa7d7
Instruction Fuzzy Hash: 32518474E01208DFDB58DFAAD58499DBBF2FF89310F24816AE819AB364DB319801CF50

Function 06EADCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6725fa14561770ab036ebc6d9d360d396ca6bd05c0fc045e1bc00e5cc2aeadce
Instruction ID: 37951ae44b619fdad5dc5e3399e98edb89a3853c98ea171c2b741bd71b76bbb6
Opcode Fuzzy Hash: 6725fa14561770ab036ebc6d9d360d396ca6bd05c0fc045e1bc00e5cc2aeadce
Instruction Fuzzy Hash: A2415C3590131ACFEB14AFB1D45C7EEBBB1EB4A31AF105829D1016B2E4CB780A48CF51

Function 014B3908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 178d171c87f4cb7244f1cf0ea587cded9e2ee6249e20b3a47fc1d157bdecd805
Instruction ID: e9efab52186a629ccf032447b0f9a005cde5d05a7d1a78bc98a53b15d6f3c3df
Opcode Fuzzy Hash: 178d171c87f4cb7244f1cf0ea587cded9e2ee6249e20b3a47fc1d157bdecd805
Instruction Fuzzy Hash: 26519878E01208CFCB48DFAAD59499DBBB2FF8D311B20946AE415AB324DB359D46CF50

Function 014BF0E9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3496c0e4df8272bd316c991f0f7b1c7408ee53af4dafb94c2776806477bea25
Instruction ID: b2419c54938a0344a85eff1b085d6a684f55fbff78b543a4c65a82ee1543e3db
Opcode Fuzzy Hash: a3496c0e4df8272bd316c991f0f7b1c7408ee53af4dafb94c2776806477bea25
Instruction Fuzzy Hash: AA518D78E01228CFDB64DFA9D984BEDBBB1BB89301F1055AAD409A7360D7359E85CF10

Function 014B9A63 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 338812cf0d0b81cc768269a67ab9611540de883f06bfc0f2586e104edbc7f160
Instruction ID: b0aad934d369d273a058c6b296e4b1a82af5ba214b19466d26559e2b0ff96248
Opcode Fuzzy Hash: 338812cf0d0b81cc768269a67ab9611540de883f06bfc0f2586e104edbc7f160
Instruction Fuzzy Hash: F451A271A04249DFCF16CFA8C884ADEBFB2FF89354F048556EA119B2A1D3359951CB70

Function 014BA650 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ccc0adae405150fe1c50295f0b3dbb6acb980f062036c3c10f7854357293855
Instruction ID: e9b7fcbd6273c9ed5eb0751e43750249e41ffa59f0af025b3aecff2c09823575
Opcode Fuzzy Hash: 9ccc0adae405150fe1c50295f0b3dbb6acb980f062036c3c10f7854357293855
Instruction Fuzzy Hash: 9841D2357002049FCB19AB79D8546AEBBB6BFC8710F24406EE906D73A1DE319D02CBA1

Function 06EA9500 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0a01defbbf7379cdc01dabd7ba18841e9d96b4d933b5623e8d7a698d89db32
Instruction ID: 285edb2bfabc20893a546dab907cd1347fa34705dc8584b06aa3a5419d35e837
Opcode Fuzzy Hash: 0c0a01defbbf7379cdc01dabd7ba18841e9d96b4d933b5623e8d7a698d89db32
Instruction Fuzzy Hash: 94414031E1031A9BDB54DFA5C880ADEBBF5AFC8710F159129E415BB390EB70A946CB90

Function 014BD7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbf650549633fb679e2fd5c8cce57408b20de432d1d48196744b48fe5de5d52c
Instruction ID: de93f7528d5581d805ac0c99f798dba3c311042ac4add1b7f3194570f2b6d060
Opcode Fuzzy Hash: fbf650549633fb679e2fd5c8cce57408b20de432d1d48196744b48fe5de5d52c
Instruction Fuzzy Hash: 82414574D04248CFDB14CFE9D4846EDBBB1FF49309F2091AAD419AB264D7759882CF64

Function 014B3428 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f148b9aa864de79420b6a503f2272e7994e5e12717d8cb3462bb2cb3a08fc3e
Instruction ID: 4f17df68eacb38e23a2699bce7cc71ab2cc884bc0b77dfa45ff4d5ac75bb41ff
Opcode Fuzzy Hash: 3f148b9aa864de79420b6a503f2272e7994e5e12717d8cb3462bb2cb3a08fc3e
Instruction Fuzzy Hash: 39318179B002258BEB2D4DAF99D42BF699ABBC4250F18403BD916C73A1DFB8CC458671

Function 06EA9A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a874f7be670d28c8b73bca9c69b5c0dc24ab010e6c05f0489abbb86fa22ed0ec
Instruction ID: dc0815096ed7f72da918b524751ea80e36b46024f321d9f77caeb458fbe2d3ae
Opcode Fuzzy Hash: a874f7be670d28c8b73bca9c69b5c0dc24ab010e6c05f0489abbb86fa22ed0ec
Instruction Fuzzy Hash: 8E41C078E01208CFDB54DFE9D5846EDBBF2EF88304F10912AD815AB294DB786A46CF54

Function 06EA9A57 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e8813ee089d14723d4a93eee84c1c3894bb30a3c86b8fbdae8ca53656a6d6e
Instruction ID: f6446f313c0d7ac4cc6ad407909c6a761b37173b86cd642fbbfe2a5ad404e38a
Opcode Fuzzy Hash: b2e8813ee089d14723d4a93eee84c1c3894bb30a3c86b8fbdae8ca53656a6d6e
Instruction Fuzzy Hash: EB41D078E01208CFDB44DFE9D5846EDBBF2EF88300F10912AD815AB294DB786A46CF54

Function 014BD76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f7ea7eea2c8666fe1fd5586895b4bb24fdd63fba029f5b1ba7313e498ef8177
Instruction ID: 64e32e51ea169c69f6e92d3479652ded1c95ed1a62ff3966a8200385cf5cf2f0
Opcode Fuzzy Hash: 7f7ea7eea2c8666fe1fd5586895b4bb24fdd63fba029f5b1ba7313e498ef8177
Instruction Fuzzy Hash: A0410474D00208CFDB14DFE9E4846EDBBB2FF49319F2092AAD419A7264D7759882CF64

Function 014BD620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec3ef9516820db82d1d781cd8c6b10749980268b6bdae912e078b6726a28b66
Instruction ID: 9b72265ba1362a942c4a6d747396e8103153ec0f5a4a8a8e85ee97f3bcbc6f1c
Opcode Fuzzy Hash: 1ec3ef9516820db82d1d781cd8c6b10749980268b6bdae912e078b6726a28b66
Instruction Fuzzy Hash: 64410574D002088BDB04DFEAD4846EEFBB2FF89304F14D16AD518A7264DB759942CF64

Function 014B4DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb8ec4037bd1b3aa49596a446f7a951e3f226a08854254833b2435b2d19d178d
Instruction ID: 18b530768d638b45c0b178a544a7c5d546fe589271798b8a8fcec3f8a3b87f8c
Opcode Fuzzy Hash: cb8ec4037bd1b3aa49596a446f7a951e3f226a08854254833b2435b2d19d178d
Instruction Fuzzy Hash: A631C73560410A9FCF159F69D484AAF3BA2FB58710F04442AFA16CB366CB34CD65CFA0

Function 06EADCB1 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724af1546dab8ebd70a5bdc1f97115daad453bfa9c30bed31fff482d8e5a2d05
Instruction ID: 6fdbe88c87d18a9adaa29e31dddbf38cbad9735e6f8ffa89ce09f3d332133ed2
Opcode Fuzzy Hash: 724af1546dab8ebd70a5bdc1f97115daad453bfa9c30bed31fff482d8e5a2d05
Instruction Fuzzy Hash: EE316B34901319DFEB149FA5D45C3EEBBB1EF4A31AF005469D5116A2A0CBB80A48CF51

Function 014B76D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd17c7f53d00d01e5f7adbc59b6fc714b39ce132917571010dfb02229d4ee3b
Instruction ID: ee76cc1cdd2b9087fed06d8f7ca3fe1dd8262e10de82ecef3be42c155ec3df32
Opcode Fuzzy Hash: 9bd17c7f53d00d01e5f7adbc59b6fc714b39ce132917571010dfb02229d4ee3b
Instruction Fuzzy Hash: 6221C7383042418BEB16173D88D45BE3A97AFC9656B1440BBD501CB7F6EE35DC42E7A1

Function 014BA809 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc300d7bbcca66f487bf05c6e4cd5a3561a2dbed28b3729065bbf0e483aacd3
Instruction ID: f18b9a8ffa17afb113b403af36c4b06d9705662f55dd08d77bffd595ed22541e
Opcode Fuzzy Hash: 9bc300d7bbcca66f487bf05c6e4cd5a3561a2dbed28b3729065bbf0e483aacd3
Instruction Fuzzy Hash: 9F31A170A00209CFCB04CF7DC8849AEBBB6FF89350B25855AE5159B3B1CB359C42CBA0

Function 014BDF79 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620943b5a30e225db026779158b8cedc96e2faf235a7b6ce1416ba426a01cb6d
Instruction ID: 0dbb9e275fc266aa0e28f29ef13baf1fcac5f974f561bf5c324d523ed4ca60d4
Opcode Fuzzy Hash: 620943b5a30e225db026779158b8cedc96e2faf235a7b6ce1416ba426a01cb6d
Instruction Fuzzy Hash: 3C217E71E042088FEB08CFEAD8442EEBBB6EFCA314F14D06AC514B7275D77085468B61

Function 014B76E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90de8014569290124607b98683e4f573b9d8ee08a6a57cf9dffca6acc5b41e5b
Instruction ID: f70bfa4d7131e55e6e7c010c4cef52b9cc1ca7ade542157abd9bad22fe7c3c31
Opcode Fuzzy Hash: 90de8014569290124607b98683e4f573b9d8ee08a6a57cf9dffca6acc5b41e5b
Instruction Fuzzy Hash: E82195383002054BEB25163988D4ABF3697AFC475AF14807BD602CB7E9EE75DC42E7A1

Function 014B2060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a48b136b1ea365d9c2320bfe0c2a00160c1b251d897db663fd54677ed4947c9
Instruction ID: 5679ed6d617782c84c532b9dbf6215a76b1242e7fc51db63bb55e5ade1652888
Opcode Fuzzy Hash: 9a48b136b1ea365d9c2320bfe0c2a00160c1b251d897db663fd54677ed4947c9
Instruction Fuzzy Hash: BC21A175A00116DFCB14DB68C8909AF77A6EB9C260B10C55AD9099B390DB36EE42CBA1

Function 014B5A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4980221de9bf403a8425405709be9676e4aa87a2c028abf1e227aa70ee95d0b
Instruction ID: 05d291857eeb86264c5a1342bbb8e73a5a40f5f973bf80a12c385478b30d2629
Opcode Fuzzy Hash: d4980221de9bf403a8425405709be9676e4aa87a2c028abf1e227aa70ee95d0b
Instruction Fuzzy Hash: 5421C0357016128FD7299A29C4D492FB7A6FBC9B50714416AEA06DF3A4DE34DC02CFD0

Function 0146D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605204800.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_146d000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a135f1975570dd52cd8f685258bd63470526a302512490aa30333c2d9e04d584
Instruction ID: 2dc75a9752ea33984cb8045caa016dd715400ebc32f2a4ab01c9f96e89f15f47
Opcode Fuzzy Hash: a135f1975570dd52cd8f685258bd63470526a302512490aa30333c2d9e04d584
Instruction Fuzzy Hash: CD2137B5A04204EFDB15CF54C9C0B26BB69FB8831CF20C56EE9894B362C776D447CA62

Function 06EA96F0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33371037db36c5106568b1ad4253d3ee90f39a2fe9c9eced392eca6172a5eaa8
Instruction ID: 29727ff04027453502190e1713ad669f9fd007058107c0ae4ed83d580f10d795
Opcode Fuzzy Hash: 33371037db36c5106568b1ad4253d3ee90f39a2fe9c9eced392eca6172a5eaa8
Instruction Fuzzy Hash: BE11E7367043545FDB4AAEB8982427E3FA3EFC8650B14846AE905DB391DE348D02C7A6

Function 014B39ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 453bb3453b096589e2fcf0b47bbdee34c0a4b9dda67ffc1ababe3c6121cc94c7
Instruction ID: 22f453877d11e4082b6941e4bbef6bb798da0168101580335129322fe5b6f82f
Opcode Fuzzy Hash: 453bb3453b096589e2fcf0b47bbdee34c0a4b9dda67ffc1ababe3c6121cc94c7
Instruction Fuzzy Hash: A1319478E11309CFCB44DFA9E59489DBBB6FF49301B2040AAE819AB324D735AD45CF40

Function 014B4DC5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8abc0fe04d70bd29027581bf842f0a2b79167c9cbe8023e37fb485691ced47ad
Instruction ID: f677d07191a443a5aa3621525aaa80c888cc6f92e03fb6ebf4fc4025a624d23a
Opcode Fuzzy Hash: 8abc0fe04d70bd29027581bf842f0a2b79167c9cbe8023e37fb485691ced47ad
Instruction Fuzzy Hash: F621B73560410A9FDB159F69E4847AB3BA2FB54720F14402AF916CB362CB34CD55CFE0

Function 014BD60F Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc590139bd1669505ec3ec2acd9057214b22aea36f1c884ad7590660f66db63
Instruction ID: ebba36c1e3818a79ae6afeaadecb833b2f2e87ad8f1698e5acca9279b21aa954
Opcode Fuzzy Hash: ebc590139bd1669505ec3ec2acd9057214b22aea36f1c884ad7590660f66db63
Instruction Fuzzy Hash: 12114975D00248CFEB08CFAAD4446EEBBB2EFCA315F18D06AC418B7269D77449468F60

Function 06EAE0C0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b6c37842c2cd7a1695dd8427c2ed53c1a47866bb0f411ddd28c7e06d87910b4
Instruction ID: b4577fdd1781d748f8ddb1cb0981bcc95db21e2f22a1a77657d8da8f199e30b0
Opcode Fuzzy Hash: 8b6c37842c2cd7a1695dd8427c2ed53c1a47866bb0f411ddd28c7e06d87910b4
Instruction Fuzzy Hash: C101D6307053508FE7450B7A9C545BBBEABAFDA310B154477E506C7296CE388D0A9771

Function 014BE201 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4469fc9ccebe7e62239d67b03e3be66a4752b4b5292cb1c7cc59044de84831
Instruction ID: 744b3e5f54b8ea7bea84009e4efbce70baaaa076327c3354e93ba8eb3e8845c1
Opcode Fuzzy Hash: 9e4469fc9ccebe7e62239d67b03e3be66a4752b4b5292cb1c7cc59044de84831
Instruction Fuzzy Hash: 15215C7490020ADFEB45DFBAD54069EBFF1FB89304F1096AAC114AB324EB745A468B91

Function 014B1F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ed870ebec19fde0c3522e9f34e8aead54a59c0169f4a0e264ecf7062cf518f
Instruction ID: 468934a437b5c20174988cfc59765967f39e10a930cffb128e231c2921179a5f
Opcode Fuzzy Hash: a4ed870ebec19fde0c3522e9f34e8aead54a59c0169f4a0e264ecf7062cf518f
Instruction Fuzzy Hash: C921C0B4C042098FCB40EFA9D8955EEBBF1BF4A300F10416AD815B7224EB305A59CFA1

Function 06EA9350 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2a3ffca4fe75e4791dd09ed377bef2a36832881b703f6eab0ed3b8359fd451
Instruction ID: e5fa044b494d0a01b02d438c939e1d65fc2e7ec372a235a179af6c5e4097cb4e
Opcode Fuzzy Hash: 7a2a3ffca4fe75e4791dd09ed377bef2a36832881b703f6eab0ed3b8359fd451
Instruction Fuzzy Hash: 5D1126B6800349DFDB10CF99C945BEEBFF5EB48320F148419E618A7211C379A550CFA5

Function 014B1F08 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7a4130aee4f59ae265e92556e98b8166715bca18b173d42af6ed2354af85e7
Instruction ID: a96b0058f9d9c39315e4136850374e6baabfd12f91d3319b7653885a9c18eda6
Opcode Fuzzy Hash: 4e7a4130aee4f59ae265e92556e98b8166715bca18b173d42af6ed2354af85e7
Instruction Fuzzy Hash: F42110B4C042098FCB50EFA8D8945EEBFB0FF4A304F14416AD905B7324EB305A85CBA1

Function 06EA8EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2c20c385d8dfe8b42f89199d4f8b14bb4c916a426f95f158864879998cff61
Instruction ID: 0d05e7050b9b0748d23677826f02a0202960d9476ba63f00502ef17c900ae248
Opcode Fuzzy Hash: fc2c20c385d8dfe8b42f89199d4f8b14bb4c916a426f95f158864879998cff61
Instruction Fuzzy Hash: B5113338F00359CFEB00DFE8D850BDEBBB1AB48311F10A155E808AB355E731A9428B50

Function 014BE208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f5e6dba4f449e3ebeb18e11d4220468aabbebedd83d6f8299f8a16433e6abe7
Instruction ID: 7ffdb807440b911d27fc2f07252754368be3e4600df38c3d8297ccc82553c97f
Opcode Fuzzy Hash: 7f5e6dba4f449e3ebeb18e11d4220468aabbebedd83d6f8299f8a16433e6abe7
Instruction Fuzzy Hash: 6C114F74D0020ADFEB45DFBAD54069EBFF1FB88304F0096AAC514AB324EB745E458B81

Function 0146D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605204800.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_146d000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: c26193338c4083f697d68723ad28f44ed28b259ec39aa9d921478148422cd821
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 7C11BEB5A04284CFCB16CF54C9C4B16BB61FB84318F24C6AAD8894B363C33AD44ACF52

Function 06EAE0CC Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d060a5391c6b9e137f9672a89b79aea23c02b3e89e22fb3429ef97f4680c18e7
Instruction ID: 4229af638663951594fecc9eea8ab8d4e26f513aa6a98c5bd74e04ef01f82839
Opcode Fuzzy Hash: d060a5391c6b9e137f9672a89b79aea23c02b3e89e22fb3429ef97f4680c18e7
Instruction Fuzzy Hash: EE01BC307043149FD7151ABA9C5856BBEABEFCA210B14847BE60AC7396CE348C0687A1

Function 06EA2670 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72dd5a3bfb86dc341d9d0cfd9ed3864647ea8390ccbd0eececc2fef415424f9
Instruction ID: 298f2a2a534daaff84ac4c47d117cf01c9406ad3f1781279fa0610c248aba2d8
Opcode Fuzzy Hash: e72dd5a3bfb86dc341d9d0cfd9ed3864647ea8390ccbd0eececc2fef415424f9
Instruction Fuzzy Hash: 0C118B35B103128FCB54DB7CE408A5E7BF4EF8836471141A9E506DB361EB32DA068BD1

Function 06EA999F Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d702871c27a1676ba18271704b48d622bd6cff0b3eacda54708de2d0643428f
Instruction ID: 64d20e30b85a56bb7b374f223bb085537d5ede8f2c09efaf45a719753484298f
Opcode Fuzzy Hash: 4d702871c27a1676ba18271704b48d622bd6cff0b3eacda54708de2d0643428f
Instruction Fuzzy Hash: 851120B6800349DFDB10CF99C945BEEBBF5AF48320F24841AE618A7211C379A560CFA1

Function 014B5607 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8e5b04830a793ddca4b455e19f1d7a8146675cea3122a078491536f6b79cde
Instruction ID: 456c1cb5dda2f045f36a41c9f1acaf104d4e116f9e20180388f7ad182b6c8651
Opcode Fuzzy Hash: 0a8e5b04830a793ddca4b455e19f1d7a8146675cea3122a078491536f6b79cde
Instruction Fuzzy Hash: F601D8717041196FDB058E69A8007EFBB97EFD8B51F18802FFA09CB254DA75C9128BA0

Function 06EA25E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5377955178f5a8db3643b7a38364cbf631e5f4e42cb919fcd6ea9dac63ab98
Instruction ID: 1edc1540f6e3553de52d74078e096e06e91a487559e5bce321ff77ce3cf9fcd5
Opcode Fuzzy Hash: db5377955178f5a8db3643b7a38364cbf631e5f4e42cb919fcd6ea9dac63ab98
Instruction Fuzzy Hash: 7201E470E013199FDF48EFBAC8446EEBBF5AF88200F14816AD919FB250E7345A018B90

Function 014BD449 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d851e63044ec403b4c432035998ddfdc475da3b17677347abee444665c16a774
Instruction ID: 8cb22608aad6e5fc81b8f98a43c7e1200e65a82c7b9b8c5845280a0087dd869b
Opcode Fuzzy Hash: d851e63044ec403b4c432035998ddfdc475da3b17677347abee444665c16a774
Instruction Fuzzy Hash: D7F0ED31D44304DFDB148FA8F8092EEB7B4EB8B318F106079C000AB275DB7255068B65

Function 014BDF08 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0702cdea74ebcfe713ca594ed4652e3e12e88af8249cc2c6575a3611d812b5d
Instruction ID: 9473088481e852c203612b6f9fc98814187ad58949c1defd13a4d1a2720046dc
Opcode Fuzzy Hash: b0702cdea74ebcfe713ca594ed4652e3e12e88af8249cc2c6575a3611d812b5d
Instruction Fuzzy Hash: 08F0ED31D04204CFDB148FA8A8242FABBB0EF8B309F0064A9C001A6170CBB1861ACF91

Function 014BDEB0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9b43a30929f23e5740b511966ce0009a025a3ad29c2e4b37f4a0006cce1108
Instruction ID: b402d47aee9c96b20284ef117067f591bfda33d24bb0994edd99b06d743233bb
Opcode Fuzzy Hash: bc9b43a30929f23e5740b511966ce0009a025a3ad29c2e4b37f4a0006cce1108
Instruction Fuzzy Hash: 2CF03A75E11525CFCB88EFBCC48459E7BF0AF08224B2144BAD509DB321EB30D9018BD0

Function 014B2010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0556b8983b50a696bf0d7f4ce63c78f9a4b9d83368a59a1f227d3b27625562e8
Instruction ID: 3b20f02c6f6c981c04e27d0a17cbc765bce9093260d963894d89631c2fce2bfe
Opcode Fuzzy Hash: 0556b8983b50a696bf0d7f4ce63c78f9a4b9d83368a59a1f227d3b27625562e8
Instruction Fuzzy Hash: C6E0923582035A9BCB01DBB5DC004DEBB38EE97214B9045ABD0206B161EB71265ED7B1

Function 014BD4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7e4c4c6a0530b3da2e74d8b3f117aa0dc4a68d5a043df97848d60679cbbc185
Instruction ID: 021a117e7338fee312e1f5678982bb73a732f8e5a2b06e89026a74258c50383b
Opcode Fuzzy Hash: e7e4c4c6a0530b3da2e74d8b3f117aa0dc4a68d5a043df97848d60679cbbc185
Instruction Fuzzy Hash: BFE0DF93C08180CBE3109BE664A60F9BF30D9E321978461EBC189CB235D678E60B9B25

Function 014B2020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48adcb4412e71c238ddaf7027aea97cad89a0b027bd7100bac727fbfcc905bf7
Instruction ID: 9b44438f306742223ab7b2fb5e83c9f40eaf4e06d6a9e4a6c89f4adb3948baf4
Opcode Fuzzy Hash: 48adcb4412e71c238ddaf7027aea97cad89a0b027bd7100bac727fbfcc905bf7
Instruction Fuzzy Hash: 80D01231D2022B968B00A6A5DC044DEB739EE96261B904626D51537144EB71265986E1

Function 014B8258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 9bafaace35aa34fda337adb96f9acd01efbdf80da04e4bf24a5a9622ce3a55c6
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 82C0123720D1282AA629108EBC80AE3BB8CC2C12B4A250137F91CA3220A8529C8101B8

Function 014BA70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07313e9bca5ab1702d984ae4a59c53046feb4283fa9d7ad246f491efd2e06eb
Instruction ID: 6056e086c6185693298489a83f06aa02a3aa1b1fa5b38ec40d141cca0c0910a5
Opcode Fuzzy Hash: d07313e9bca5ab1702d984ae4a59c53046feb4283fa9d7ad246f491efd2e06eb
Instruction Fuzzy Hash: 47D0677AB111089FCB149F98E8409DDB7B6FB9C221B048126E915A3264C6319921DB50

Function 014B5EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a71702640b3711c007fa75df97806f1cb86bad787ccfb56d813701dca16fbe
Instruction ID: bca81dedb7f37962060c876020b86611e27186d32d66baaa2897181864426349
Opcode Fuzzy Hash: 30a71702640b3711c007fa75df97806f1cb86bad787ccfb56d813701dca16fbe
Instruction Fuzzy Hash: 60D0C23440834B8BD316EBB2E8100143F25BF80204B40509DBA050E067EDBC088687A2

Function 014BFBEB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201ea52d91b660d6a713acdbffca557ed18916e0f5ae4ec33231aa09943cee2b
Instruction ID: f0ecd5a5ac023796350d879c9a912ceb5853f9f1841bd50c8ba5bdcf1cd4feb7
Opcode Fuzzy Hash: 201ea52d91b660d6a713acdbffca557ed18916e0f5ae4ec33231aa09943cee2b
Instruction Fuzzy Hash: 92D06774D0411CCBCB24DF94E9442DCB7B0EB95305F0010D7D90DB3210D6305EA58F21

Function 014B5EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7e80d655786a65d4968bf5e7a0fb670790d0588fc73c8a5eebc63b9ac83bed
Instruction ID: 94ad4e5d54bec709da35aa9767c92091ebd81e895511326c44b2de012c7e7d05
Opcode Fuzzy Hash: ca7e80d655786a65d4968bf5e7a0fb670790d0588fc73c8a5eebc63b9ac83bed
Instruction Fuzzy Hash: 6DC0123450430F8BE659EBF7F9445153B2AF6C0300F405558A70A1E156EEBC1D854791

Non-executed Functions

Function 014BE528 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a8035716c19abfad6ee581921cd953deb9c1cac802b18dfaa07ef9258c0b393
Instruction ID: 7d04eb0ce68e43c07f68f30754a9a988c4f1884c5a162db3c76a471a2570c256
Opcode Fuzzy Hash: 8a8035716c19abfad6ee581921cd953deb9c1cac802b18dfaa07ef9258c0b393
Instruction Fuzzy Hash: 41528074E01229CFDB64DF69C884BDDBBB2BB89301F1081EAD509A7265DB359E81CF50

Function 06EA5EC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bee41451a226fe2741961764c6aeee68635f654f6df867767a16ae1361344a
Instruction ID: 4f2baf90a794814c5ee9300b2d7de038c503b604052aaf6f9867196ccb06f521
Opcode Fuzzy Hash: f7bee41451a226fe2741961764c6aeee68635f654f6df867767a16ae1361344a
Instruction Fuzzy Hash: D2C1B174E00218CFDB54DFA5C984BADBBB2EF89304F2091AAD809AB355DB355E85CF50

Function 06EA5618 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0eedc309c72e5f646c112d5e6b1cd1951403c7d1bc04501bf7cfd576b754af8
Instruction ID: 012b7b5737eb31a16c306c67fd4b9fb1e97b15281591c0bbf18ea649690a32f2
Opcode Fuzzy Hash: c0eedc309c72e5f646c112d5e6b1cd1951403c7d1bc04501bf7cfd576b754af8
Instruction Fuzzy Hash: D6C1AF74E00218CFEB54DFA5D994BADBBB2EF88300F1091AAD409AB355DB355E85CF50

Function 06EA6778 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e25a5f8f54338cb259815e84ec2fd119a26b7a62da892e1a4bb9350561e95d4
Instruction ID: ff3f6f3d8376a754c2e525b6ee3d8b33899b3b845194a7e74963b7a45398e79e
Opcode Fuzzy Hash: 3e25a5f8f54338cb259815e84ec2fd119a26b7a62da892e1a4bb9350561e95d4
Instruction Fuzzy Hash: 17C1B074E00218CFEB54DFA5C984BADBBB2EF89304F1091AAD409AB355DB355E85CF50

Function 06EA74A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12052d17bf76dbd7f541d11c75cfdc71d4648397455e9a29eade286c5ccdf701
Instruction ID: 9542d7aad14e084a0f0b56fc301d80f7e1022a9b45f1aa0968dd39f4508498e3
Opcode Fuzzy Hash: 12052d17bf76dbd7f541d11c75cfdc71d4648397455e9a29eade286c5ccdf701
Instruction Fuzzy Hash: 72C1B178E00218CFDB54DFA5D994BADBBB2EF88304F1090AAD409AB355DB355E85CF50

Function 06EA0498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c5da5ebf9e7fc15dd09e22f8a745b6e3a62166bde1f46456d94efe21f80b057
Instruction ID: b157bc25943ca323c88afff2816977abb9484da08af97c04eab35e3916a09824
Opcode Fuzzy Hash: 1c5da5ebf9e7fc15dd09e22f8a745b6e3a62166bde1f46456d94efe21f80b057
Instruction Fuzzy Hash: 9AC1B174E00218CFEB54DFA5C984BADBBB2EF89304F2090AAD409AB355DB355E85CF50

Function 06EA0D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff583798ece0b83de7512a20655553a5d8943070dc8360ea959f23415f7ef9ef
Instruction ID: d72da04cb13fe4fd75f99de95b50e55cbda9399b68abd5ba695ed7bd451558d8
Opcode Fuzzy Hash: ff583798ece0b83de7512a20655553a5d8943070dc8360ea959f23415f7ef9ef
Instruction Fuzzy Hash: 7AC1A078E00218CFDB54DFA5D984BADBBB2EF88304F2091AAD409AB355DB355E85CF50

Function 06EA7D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c51c55d7750bb5f70b5fb42c72ab183f4ee5851140783d56eb8e8c5444c88ba
Instruction ID: 40c09660c8daa1477a12d5e4ce7789c281144eb406c44687522db9f2745bee5e
Opcode Fuzzy Hash: 3c51c55d7750bb5f70b5fb42c72ab183f4ee5851140783d56eb8e8c5444c88ba
Instruction Fuzzy Hash: 55C1B178E00218CFDB54DFA5C994BADBBB2EF88300F2090AAD409AB355DB355E85CF50

Function 06EA5A70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec979404ea67c201fb2d41e2a845c83a7d17736c1c7be051060786ce94eeb0a
Instruction ID: c6db6f74681af44f4def1b1ae383451d9ddd89f2238df5408be40e0cf57a2be4
Opcode Fuzzy Hash: 2ec979404ea67c201fb2d41e2a845c83a7d17736c1c7be051060786ce94eeb0a
Instruction Fuzzy Hash: 4BC1B174E00218CFDB54DFA5D984BADBBB2EF88304F2091AAD409AB355DB355E85CF50

Function 06EA6BD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208bcc8ead021c7087d64adcae28bfc8fca07bd27cf823800dee9ab00e14b2c6
Instruction ID: 871fcd48e1c54f7259dee5ec42488932f6a410be37e2f89b053186a57c36d358
Opcode Fuzzy Hash: 208bcc8ead021c7087d64adcae28bfc8fca07bd27cf823800dee9ab00e14b2c6
Instruction Fuzzy Hash: 6AC1B174E00218CFEB54DFA5D944BADBBB2EF89304F2090AAD409AB355DB355E85CF50

Function 06EA6320 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 047f424946695f3ab31e262a4c32449d59ecae9cc100ecb9e212c9146c3eab6f
Instruction ID: b3dfd8fdc6f6498f42dd26bc413a3ef4c07ccbb4dcbdeae652058fc0691f6dcf
Opcode Fuzzy Hash: 047f424946695f3ab31e262a4c32449d59ecae9cc100ecb9e212c9146c3eab6f
Instruction Fuzzy Hash: 27C1C078E00218CFEB54DFA5D984BADBBB2EF89300F1090AAD409AB355DB355E81CF50

Function 06EA08F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1529b221dfb39d1d0f0c13637fad74426cb54c382aedd8d3bd66584fac250b6d
Instruction ID: f0044f348e7d246eb299f77fd89970c2c7a6164ada99d42f089ed8850016d89a
Opcode Fuzzy Hash: 1529b221dfb39d1d0f0c13637fad74426cb54c382aedd8d3bd66584fac250b6d
Instruction Fuzzy Hash: C6C1B274E00218CFEB54DFA9C944B9DBBB2EF88304F2091AAD409AB355DB355E81CF50

Function 06EA0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 430d87ea7841d54940b4f49863bb66eb56941a4a70069ff88632189e58932335
Instruction ID: f8dd5c1b903545cba61031fa663b49c888be30bab19bb6265a56cee9a1a16ca6
Opcode Fuzzy Hash: 430d87ea7841d54940b4f49863bb66eb56941a4a70069ff88632189e58932335
Instruction Fuzzy Hash: 2EC1AF74E00218CFEB54DFA5D994BADBBB2EF88304F1090AAD809AB355DB355E85CF50

Function 06EA7050 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06c27a453450b4ddc78e88060d2b148d02795217e6c13dff99ed87ef23f93850
Instruction ID: 6dfa6420223a28e6db4dd4e8cc75f32cd5d435bedd0983a39795e60282fc4b82
Opcode Fuzzy Hash: 06c27a453450b4ddc78e88060d2b148d02795217e6c13dff99ed87ef23f93850
Instruction Fuzzy Hash: 01C1B078E00218CFDB54DFA5D994BADBBB2EF88304F2090AAD409AB355DB355E85CF50

Function 06EA81B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 243946fd8376ec401755f408a0ad4f5e16d34fb25c43bf3f933d7abfd5aa8322
Instruction ID: 4f4b57f8c9d9f19de12b971a95072b77e93befe52038a8702a5c5779f5c7176b
Opcode Fuzzy Hash: 243946fd8376ec401755f408a0ad4f5e16d34fb25c43bf3f933d7abfd5aa8322
Instruction Fuzzy Hash: B9C1A074E00218CFEB54DFA5D994BADBBB2EF88300F1091AAD809AB355DB355E85CF50

Function 06EA5198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef0d4e2e4e4174a5e622713cc198340061478f3225e5c071a9bbf06ea08acbf
Instruction ID: 87e4bb6a71dbb529fdde72d784dea730d9150b8886696b67021e73c68a45d260
Opcode Fuzzy Hash: 7ef0d4e2e4e4174a5e622713cc198340061478f3225e5c071a9bbf06ea08acbf
Instruction Fuzzy Hash: EAC1B174E00218CFDB54DFA5D984BADBBB2EF89300F2091AAD409AB355DB355E85CF50

Function 06EA7900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4704c2cfca050e700ef80a8de502cb74ff9c3f7e7b5bb82bc02959bc86868ba6
Instruction ID: a1c2710532aebda6e3e20dc5e04c129b0473fd139d3ec8e09657eb184328701a
Opcode Fuzzy Hash: 4704c2cfca050e700ef80a8de502cb74ff9c3f7e7b5bb82bc02959bc86868ba6
Instruction Fuzzy Hash: A8C1A178E00218CFDB54DFA5D944BADBBB2EF88304F1091AAD409AB355DB355E85CF50

Function 05D811C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8483c21750e218c3d3de29dc1cdede556d8ecb41b02ef46b65caa2a105051739
Instruction ID: 82525e7d05029113f051b5010062336efe2d304f9ea2cb0f47735a041418b665
Opcode Fuzzy Hash: 8483c21750e218c3d3de29dc1cdede556d8ecb41b02ef46b65caa2a105051739
Instruction Fuzzy Hash: 36C18178E01218CFDB24DFA9D954BADBBB2FB89300F1081AAD809A7355DB355E85CF50

Function 05D8C1F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9246c697b5c54e1a5e666dbc8cbaaa412fe626e2fe169ab9023a54b279f20b
Instruction ID: d0ad940b7b08c4a4bdd7c0455d19b61e7d6f20ff21965fb346592d6bc150b194
Opcode Fuzzy Hash: 3b9246c697b5c54e1a5e666dbc8cbaaa412fe626e2fe169ab9023a54b279f20b
Instruction Fuzzy Hash: 6CC18074E00218CFDB14DFA9D954BADBBB2EF89300F1091AAD409AB365DB355E85CF50

Function 05D8BD98 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97be17b3b649bed2351d91bbbe7d678595179a8f547cc52a4d47a30cf405e210
Instruction ID: 0af4da2f6e9c504912efbd0ed6028b7b13f45436bd3306fe5c4a44af811bcf6c
Opcode Fuzzy Hash: 97be17b3b649bed2351d91bbbe7d678595179a8f547cc52a4d47a30cf405e210
Instruction Fuzzy Hash: 39C18F74E00218CFEB14DFA5D994BADBBB2EF89300F1091AAD409AB355DB355E85CF50

Function 05D8F1B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650de5306bcc3b3fc2b06aacc27450400d405d16ed241adc0affb87e019db6c5
Instruction ID: 54e698bd365aacfb2a5c1ab7d5b1ce6caeebadf444a0164090d7519e01f9a19c
Opcode Fuzzy Hash: 650de5306bcc3b3fc2b06aacc27450400d405d16ed241adc0affb87e019db6c5
Instruction Fuzzy Hash: F1C18074E00218CFDB54DFA5D994BADBBB2EF89300F1081AAD409AB355DB355E85CF50

Function 05D8B940 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85c3eb9e577015c6e2c93a15ec1d878cb2c8b82cda97a8be901bd5768b751f01
Instruction ID: 97c3c1b302efa677660347ee9acd7c59332ac3c501d4c16b794481d08a4c4d8e
Opcode Fuzzy Hash: 85c3eb9e577015c6e2c93a15ec1d878cb2c8b82cda97a8be901bd5768b751f01
Instruction Fuzzy Hash: 90C18F74E00218CFEB14DFA5D994BADBBB2EF89300F1091AAD809AB355DB355E85CF50

Function 05D8ED60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e9f196ec2359f5681aba48773c6e09bffa143dddc9e111eaba690da8daff45
Instruction ID: d250e8d44dc8f8c93b865b4e2bf1608f8665a96e5082fcf2afdbfca9f21e51ea
Opcode Fuzzy Hash: 69e9f196ec2359f5681aba48773c6e09bffa143dddc9e111eaba690da8daff45
Instruction Fuzzy Hash: A2C19F74E01218CFDB14DFA5D994BADBBB2EF88304F2081AAD409AB355DB355E85CF50

Function 05D80D60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17563a4f23c4518f12ede6b66dc642c3236665acef67ebf4f922c9dabd044d30
Instruction ID: b625fe4cc6feafc93d383193c39fd0dc59f24c87a62840fa12ac2ceb39b5d470
Opcode Fuzzy Hash: 17563a4f23c4518f12ede6b66dc642c3236665acef67ebf4f922c9dabd044d30
Instruction Fuzzy Hash: 8BC18178E00218CFDB24DFA9D954BADBBB2FB89300F1081AAD809A7355DB355E85CF50

Function 05D8E908 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f05aa978133e24897020dc142d088304d79e242bd9e7a4e2bad8da1a78c5f60
Instruction ID: 887ef95eb5c64270bd3b9d4fb5ede0805912f65fa6bfe080421ede985e951f76
Opcode Fuzzy Hash: 2f05aa978133e24897020dc142d088304d79e242bd9e7a4e2bad8da1a78c5f60
Instruction Fuzzy Hash: E2C18E74E00218CFDB14DFA5D994BADBBB2EF89300F1081AAD809AB355DB759E85CF50

Function 05D80900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a490957d16c49d29d0279a580a832aefcf7fe8e97912016dfa9bc821e2836b
Instruction ID: ed4bffb6723ba14855f8c2d5ab1bd2e88b63c009e66e1cab49760c7c90e031df
Opcode Fuzzy Hash: 94a490957d16c49d29d0279a580a832aefcf7fe8e97912016dfa9bc821e2836b
Instruction Fuzzy Hash: 3EC19078E00218CFDB24DFA9D954BADBBB2FB89300F1081AAD809A7355DB355E85CF50

Function 05D8B4E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d47e4fdabf553cc198279cb3f84eaaf3db53cd40cbc49fa1ece86a0dfabebf8
Instruction ID: 64ba40833ce35814732f734b5e4ed51e90d25d55bd02a880ed96c1a8b0489d0c
Opcode Fuzzy Hash: 9d47e4fdabf553cc198279cb3f84eaaf3db53cd40cbc49fa1ece86a0dfabebf8
Instruction Fuzzy Hash: 26C18074E00218CFEB14DFA5D994BADBBB2EF89300F2091AAD409AB355DB355E85CF50

Function 05D8E4B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0c6df121e4f7dbbc8a96f0ffaa3ae5e68f3f98ad7180e3d55d5a689e6e878d
Instruction ID: 1d19b726171f8843040638981737a3a2f0eba48ba98c72cfdaa7ebbf9436be74
Opcode Fuzzy Hash: 1d0c6df121e4f7dbbc8a96f0ffaa3ae5e68f3f98ad7180e3d55d5a689e6e878d
Instruction Fuzzy Hash: EDC18F74E00218CFDB14DFA5D994BADBBB2EF89300F2091AAD409AB355DB355E85CF50

Function 05D804A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63b9db416f26acd59125ffe195e8ed611cfbe5c0a5339b9012537216618dd36
Instruction ID: 1b3619b46bff776935fde8af2c6b03e809253f35a55fae87d34866c29df0a2af
Opcode Fuzzy Hash: a63b9db416f26acd59125ffe195e8ed611cfbe5c0a5339b9012537216618dd36
Instruction Fuzzy Hash: A3C18178E00218CFDB64DFA9D954BADBBB2FB89300F1081AAD809A7355DB355E85CF50

Function 05D8E058 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74f0bb51262abac6f8b1d7a43312c6b373a9f7b322a0d743051a7dbb5b42378
Instruction ID: 6289813171914a4b4b3709f1c02f9f7067f5a9932e833559c10c289598118b23
Opcode Fuzzy Hash: f74f0bb51262abac6f8b1d7a43312c6b373a9f7b322a0d743051a7dbb5b42378
Instruction Fuzzy Hash: 0EC18F74E00218CFDB14DFA9D994BADBBB2EF89304F1081AAD409AB355DB359E85CF50

Function 05D80040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e646518673eb0ce76bcc28a0491b22c4aa3ccc5875b74f3f77bbf5e6c65fb6
Instruction ID: 34fc2550c8cb8a45082047ac569c1f32c02e851b070fd38519e890c8c7752392
Opcode Fuzzy Hash: 41e646518673eb0ce76bcc28a0491b22c4aa3ccc5875b74f3f77bbf5e6c65fb6
Instruction Fuzzy Hash: BDC18274E00218CFDB24DFA9D954BADBBB2FB89300F1081AAD809AB355DB755E85CF50

Function 05D8DC00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7b4373cbd7d91aa1e61bdd56a472c6328489a104abfbc9e943e0e67b7b236f
Instruction ID: 4a1b9727795da171b8ccd7b1a321c8ce540c9899a1b91e96d5921318ebc990b3
Opcode Fuzzy Hash: bd7b4373cbd7d91aa1e61bdd56a472c6328489a104abfbc9e943e0e67b7b236f
Instruction Fuzzy Hash: D0C18F74E00218CFDB14DFA5D994BADBBB2EF89300F1081AAD409AB395DB355E85CF50

Function 05D8D7A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466c97382c7d10092432598d1b02b674a10112013fcb58d3a2d5590a3eb9a271
Instruction ID: 152f0ddaffa603b24b873633d849b86848fe46b05078c20b809d21b23f9da8a1
Opcode Fuzzy Hash: 466c97382c7d10092432598d1b02b674a10112013fcb58d3a2d5590a3eb9a271
Instruction Fuzzy Hash: A6C18074E00218CFDB14EFA5D954BADBBB2EF89300F1091AAD409AB395DB355E85CF50

Function 05D8D350 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad4a792bdadd7092a7bf93ed00773542942a676971cac16ad60afa13759c462
Instruction ID: a4b37a5a3ce4a4c22aa564adf4f0150f40ea160b521d79b7d2be7c91e71fc50d
Opcode Fuzzy Hash: dad4a792bdadd7092a7bf93ed00773542942a676971cac16ad60afa13759c462
Instruction Fuzzy Hash: A1C18F74E00218CFDB14DFA5D994BADBBB2EF89304F1081AAD409AB395DB359E85CF50

Function 05D8CEF8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873132bc6b1ecae9df3dbafded6d81a7229e94bdc10b378d6b671f425dbf626d
Instruction ID: 83af5f3429214bcad758aa68b339bd4ad8a1a09472394794bd764527fd49c7dc
Opcode Fuzzy Hash: 873132bc6b1ecae9df3dbafded6d81a7229e94bdc10b378d6b671f425dbf626d
Instruction Fuzzy Hash: 02C18074E01218CFDB14DFA5D994BADBBB2EF89300F1081AAD409AB395DB359E85CF50

Function 05D8CAA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ecc796bb58b2e852586bb5502f805969e8842cecf9e0e55d8a7a347589ecc82
Instruction ID: 470da94b7fa7f0e4aff015586cbb2ee440ac97da845b140b108e448856afd6ad
Opcode Fuzzy Hash: 4ecc796bb58b2e852586bb5502f805969e8842cecf9e0e55d8a7a347589ecc82
Instruction Fuzzy Hash: BFC18E74E00218CFDB14DFA5D994BADBBB2EF89304F2081AAD409AB365DB355E85CF50

Function 05D8C648 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a62557ea3ff0f4b423a7e356c395bf98a4adb868826990a72c9191ff77c7bb
Instruction ID: 8ade57a3d3aab6eb3ec5c577dbd2e0428448e7bc38e0e1abcbf198921fe258bc
Opcode Fuzzy Hash: f4a62557ea3ff0f4b423a7e356c395bf98a4adb868826990a72c9191ff77c7bb
Instruction Fuzzy Hash: D5C18E74E00218CFDB14DFA5D994BADBBB2EF89300F1091AAD409AB365DB355E85CF50

Function 05D8FA68 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537355ed18de9a8f0b07de5117aac9027a4f512c1cdf1b12e5b0632b0372f133
Instruction ID: c6b0bf9726ba8eb9e3bc77c35e66686db2635b6d22d00cc1c324f63210f2fcac
Opcode Fuzzy Hash: 537355ed18de9a8f0b07de5117aac9027a4f512c1cdf1b12e5b0632b0372f133
Instruction Fuzzy Hash: 4FC18F74E00218CFDB14DFA5D994BADBBB2EF89300F2091AAD809AB355DB355E85CF50

Function 05D8F610 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98047d4f7ad617086788e422e075fc1e1f63473dc059e1890f08e4dde3016d9a
Instruction ID: a3b08aa93280290a8c8dfb5418a362c005dfe59cb8bbbf76321f8af7ad46b14d
Opcode Fuzzy Hash: 98047d4f7ad617086788e422e075fc1e1f63473dc059e1890f08e4dde3016d9a
Instruction Fuzzy Hash: 96C18F74E00218CFDB14DFA5D994BADBBB2EF89304F1081AAD409AB355DB355E85CF50

Function 06EA33B8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e08f21f30321118e751b3672b19c69e5fa05e41cae218e67759c65ff6fb0f69
Instruction ID: 1455ebfae3c76986fd8dccbebc93f5273e768a63f9fb0a5a770e02d9286025fa
Opcode Fuzzy Hash: 1e08f21f30321118e751b3672b19c69e5fa05e41cae218e67759c65ff6fb0f69
Instruction Fuzzy Hash: 1BB1A678E01218CFDB54DFA9D884A9DBBB2FF89310F1181A9D819AB365DB34AD41CF50

Function 05D81620 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b731c86710b2579234fea573809411fc643c2fa09f6bdb759eca22240518368b
Instruction ID: dd5f6d133f252224eaf74ca6029152551227b0cac58e02f49d087ca7886bc858
Opcode Fuzzy Hash: b731c86710b2579234fea573809411fc643c2fa09f6bdb759eca22240518368b
Instruction Fuzzy Hash: 10A10870D00218CFEB24DFA9C844BEDBBB1FF88314F20926AD459A72A1DB759985CF51

Function 05D81966 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4612812820.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5d80000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861c29d22de4f5c57f4a2d920cbb2d9a7bf2ce6e47862e8075a60adec97a519b
Instruction ID: f00aa1d7ccd0472aa530c61ae4169694847a7b47b0c9820d3b5e13f50e5cba44
Opcode Fuzzy Hash: 861c29d22de4f5c57f4a2d920cbb2d9a7bf2ce6e47862e8075a60adec97a519b
Instruction Fuzzy Hash: 1C91F674D00218CFEB14EFA8C884BECBBB1FF49314F20929AD459A7291DB759986CF15

Function 014BEB5B Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87634c025f9fa27d763a6d84f74a356d60bf0832f302692481e2d95023d1674b
Instruction ID: f0ba869ed5f5c1ee1258f4726376bd2c1d374a95d1d4aa9d62102b9162e0b7b4
Opcode Fuzzy Hash: 87634c025f9fa27d763a6d84f74a356d60bf0832f302692481e2d95023d1674b
Instruction Fuzzy Hash: C0A18D74A01228CFDB64DF65C994BDABBB2BF89301F1085EAD409A7360DB719E81CF51

Function 06EA33A8 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4615369183.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6ea0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81aefc5ba1775fa9513969cd43cd9a431fdacc4c12a66aec8108498f56fc75e0
Instruction ID: e3c67fa5bc8458467e92f8d18b3ded6cc5b5ab079d26af57872444564d49b8c9
Opcode Fuzzy Hash: 81aefc5ba1775fa9513969cd43cd9a431fdacc4c12a66aec8108498f56fc75e0
Instruction Fuzzy Hash: 8E51B374E017088FDB48DFAAD984A9DBBF2FF89300F249169D419AB364DB34A941CF54

Function 014BED3C Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4605552812.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14b0000_Order_List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42184d21a2746c4e99ea41491032c1e681f2e50e0e1420752e7098a8f73cc95c
Instruction ID: bd54b480de37e4507b728cd36c7d0f89f09f6ad18d065f00ffa6a4d503189aa0
Opcode Fuzzy Hash: 42184d21a2746c4e99ea41491032c1e681f2e50e0e1420752e7098a8f73cc95c
Instruction Fuzzy Hash: 47519F74A01228CFCB64DF24D894BDABBB2BF4A301F5085EAD40AA7354CB719E81CF50

Analysis Process: FTlLqTRGrXZr.exePID: 6320, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	41
Total number of Limit Nodes:	5

Executed Functions

Function 0080DDC8 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0080DE56
GetCurrentThread.KERNEL32 ref: 0080DE93
GetCurrentProcess.KERNEL32 ref: 0080DED0
GetCurrentThreadId.KERNEL32 ref: 0080DF29

Memory Dump Source

Source File: 0000000B.00000002.2276500616.0000000000800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_800000_FTlLqTRGrXZr.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 518dc417c2fae620a1aea0c18547362ac69b182022507916de5e6ed6d64390f7
Instruction ID: f5ee2cd36ae5e619b9e7c6e5a679905921e5aa333ae7756c1c6c80ddaa0a1b29
Opcode Fuzzy Hash: 518dc417c2fae620a1aea0c18547362ac69b182022507916de5e6ed6d64390f7
Instruction Fuzzy Hash: AC5176B0901309CFEB44DFA9D948BAEBBF1FF88314F208459D109A7391DB749944CB65

Function 0080DDD8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0080DE56
GetCurrentThread.KERNEL32 ref: 0080DE93
GetCurrentProcess.KERNEL32 ref: 0080DED0
GetCurrentThreadId.KERNEL32 ref: 0080DF29

Memory Dump Source

Source File: 0000000B.00000002.2276500616.0000000000800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_800000_FTlLqTRGrXZr.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2fc384c467f8fe64ea0ed2f6c5e35975952453b93155f9caa70350aa0fb05988
Instruction ID: 168e746332bf38cde8297136dc62433aa1229d9407986034ff1ef7402c5738df
Opcode Fuzzy Hash: 2fc384c467f8fe64ea0ed2f6c5e35975952453b93155f9caa70350aa0fb05988
Instruction Fuzzy Hash: 5B5167B0901309CFDB44DFAAD948BAEBBF1FF88314F208459E509A7390DB75A944CB65

Function 0691FACE Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0691FD0E

Memory Dump Source

Source File: 0000000B.00000002.2282880348.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6910000_FTlLqTRGrXZr.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cac963814a067ca2d216718da03f7c111e4fb4f9c55e814030dd37308fbd801a
Instruction ID: f79d7e87eb51d8dabcf44da52472af86e5d58fbbb61e033465b9e42eea67c30e
Opcode Fuzzy Hash: cac963814a067ca2d216718da03f7c111e4fb4f9c55e814030dd37308fbd801a
Instruction Fuzzy Hash: 84A12771D0021D8FEF64CF69C841BEDBBF6AB48310F2485AAD819AB240DB759985CF91

Function 0691FAD8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0691FD0E

Memory Dump Source

Source File: 0000000B.00000002.2282880348.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6910000_FTlLqTRGrXZr.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b8e753407657a88801417a12595a7284a7c74edcd64f0ad81a97ede75099c584
Instruction ID: 25490d0667ac7dfaad7695fd794fafba037e521c7b9e966fcd3f11764917057a
Opcode Fuzzy Hash: b8e753407657a88801417a12595a7284a7c74edcd64f0ad81a97ede75099c584
Instruction Fuzzy Hash: C8913871D0021D8FEF64CF69C8417EDBBF6AF48310F2485AAD819AB240DB759985CF91

Function 0080BB40 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0080BDA6

Memory Dump Source

Source File: 0000000B.00000002.2276500616.0000000000800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_800000_FTlLqTRGrXZr.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b0bf8b95ea4da09adadfc62b179b8da46c765b603468202d757a1963269caf31
Instruction ID: 680ccf933b69e31c90d722190a3840a6033cb70ad486a27711e0a42388a77610
Opcode Fuzzy Hash: b0bf8b95ea4da09adadfc62b179b8da46c765b603468202d757a1963269caf31
Instruction Fuzzy Hash: C9816670A00B458FE764DF69D85175ABBF1FF88300F008A2DD48ADBA91DB75E846CB91

Function 0080590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 008059C9

Memory Dump Source

Source File: 0000000B.00000002.2276500616.0000000000800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_800000_FTlLqTRGrXZr.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4dbbaf5e9b7236561a396bf4e9c43d7b74705046ffe9c95aecff3a36f76d9463
Instruction ID: 1a2f74c6d24e0b25fc6aae964b1d94cf454d453ad443e8088ca88dd8b720ad5b
Opcode Fuzzy Hash: 4dbbaf5e9b7236561a396bf4e9c43d7b74705046ffe9c95aecff3a36f76d9463
Instruction Fuzzy Hash: 0E41E2B1C00719CFDB24CFA9C885B9EBBB5FF45704F20815AD409AB251DB756945CF50

Function 00804514 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 008059C9

Memory Dump Source

Source File: 0000000B.00000002.2276500616.0000000000800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_800000_FTlLqTRGrXZr.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 919bf72a79921506aba17d0b62e612db683fb4f311a04c380defb63ee4ec85d9
Instruction ID: 15aa6c82581ff557d8e6984a0eead23759bbf7c08a0c1a0aa069a62e1224a786
Opcode Fuzzy Hash: 919bf72a79921506aba17d0b62e612db683fb4f311a04c380defb63ee4ec85d9
Instruction Fuzzy Hash: 5141E1B0C0071DCBDB24DFA9C844B9EBBB5FF48704F20815AD409AB295DB756945CFA0

Function 0691F848 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0691F8E0

Memory Dump Source

Source File: 0000000B.00000002.2282880348.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6910000_FTlLqTRGrXZr.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f288dffc38be680ba0746d4ac9b8bb8a2567c90b87592c8b46ba345c7a37aad4
Instruction ID: 20546666f2ee0c5a93bd9f6289e06a7e78857307b416a910922fdf7448364210
Opcode Fuzzy Hash: f288dffc38be680ba0746d4ac9b8bb8a2567c90b87592c8b46ba345c7a37aad4
Instruction Fuzzy Hash: B3212871D003599FDB10CFAAC885BEEBBF4FF88310F20842AE959A7240C7789954CB64

Function 0691F850 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0691F8E0

Memory Dump Source

Source File: 0000000B.00000002.2282880348.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6910000_FTlLqTRGrXZr.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e936f1e7af26f179fca3576c4aa341b25df977cc34763e51ffdeea569512442f
Instruction ID: 82567736f85a0ad050d86ab5689a266869ebe9e0e4846e8634d607bd99932f9c
Opcode Fuzzy Hash: e936f1e7af26f179fca3576c4aa341b25df977cc34763e51ffdeea569512442f
Instruction Fuzzy Hash: B7211571D003499FDB10CFAAC885BDEBBF5FF48310F24842AE919A7240C7789954CBA4

Function 0691F938 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0691F9C0

Memory Dump Source

Source File: 0000000B.00000002.2282880348.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6910000_FTlLqTRGrXZr.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 909baf9dc4e23570efb529e76380bd7e9f35d963e59bdb41eebb33f1d52a8388
Instruction ID: 3c4a9ac88e1ae7fbc45e06a4be00d4813c532535797f11a9eaf2a08c70a3fc39
Opcode Fuzzy Hash: 909baf9dc4e23570efb529e76380bd7e9f35d963e59bdb41eebb33f1d52a8388
Instruction Fuzzy Hash: 5E212771D003499FDB10DFAAC881BEEBBF4FF48310F20842AE559A7250D7749901CBA0

Function 0691F6B1 Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0691F736

Memory Dump Source

Source File: 0000000B.00000002.2282880348.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6910000_FTlLqTRGrXZr.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4aefac3447d0d9586e83f54aa97941b2b1a32082ca29735589beeec649fa73db
Instruction ID: f80195dd27eb0d33d1209561eebef040ecc70da0eb857846a8bde30b789e350e
Opcode Fuzzy Hash: 4aefac3447d0d9586e83f54aa97941b2b1a32082ca29735589beeec649fa73db
Instruction Fuzzy Hash: 03212571D003098FDB54CFAAC4857EEBBF4EF88314F24842AD559A7240C7789945CFA5

Function 0691F6B8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0691F736

Memory Dump Source

Source File: 0000000B.00000002.2282880348.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6910000_FTlLqTRGrXZr.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1fb1e985810904a2c02c5fff82d3bfa2c5781adedf3536e5976f8b28f923d7f5
Instruction ID: 4493bf23ae51ee9f8c2fb4a3bd472c7935095e3552ebd43549e29cf6e3ccb956
Opcode Fuzzy Hash: 1fb1e985810904a2c02c5fff82d3bfa2c5781adedf3536e5976f8b28f923d7f5
Instruction Fuzzy Hash: 8D214971D003098FDB50DFAAC4857EEBBF4EF88324F24842AD519A7240CB78A945CFA5

Function 0691F940 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0691F9C0

Memory Dump Source

Source File: 0000000B.00000002.2282880348.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6910000_FTlLqTRGrXZr.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 74ae0ad240abb6d8e4b724180755786e63dadc8343411361b991e9da6ac5b4a5
Instruction ID: 12c5469a6768be8ec714ec8def02c8c17c6ee65691a134fc4ac757342fe2f192
Opcode Fuzzy Hash: 74ae0ad240abb6d8e4b724180755786e63dadc8343411361b991e9da6ac5b4a5
Instruction Fuzzy Hash: E02128B1C003499FDB10DFAAC881BDEBBF5FF48310F20842AE559A7240D7789910CBA5

Function 0080E018 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0080E0A7

Memory Dump Source

Source File: 0000000B.00000002.2276500616.0000000000800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_800000_FTlLqTRGrXZr.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 99763d7713b4c1f89e799cfa088750bfe55be62f6981be7afb026d6df15ede0e
Instruction ID: 86e92c632c4926f7894ad3fe3c7c775a5c1449d6b200b32c05efa8ce6f2a224a
Opcode Fuzzy Hash: 99763d7713b4c1f89e799cfa088750bfe55be62f6981be7afb026d6df15ede0e
Instruction Fuzzy Hash: 8621FFB5900209DFDB10CFAAD980ADEBBF9FB48320F14845AE918A3250C778A954CF60

Function 0080E020 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0080E0A7

Memory Dump Source

Source File: 0000000B.00000002.2276500616.0000000000800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_800000_FTlLqTRGrXZr.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d9289ba865631a832d694502c1e479d2c290656c37da9db174fcabd1e083ffa7
Instruction ID: c7d9765b33ce9202c0cb8ffd0ccbef358485adbd97445c3051814be9c3713f3e
Opcode Fuzzy Hash: d9289ba865631a832d694502c1e479d2c290656c37da9db174fcabd1e083ffa7
Instruction Fuzzy Hash: F221B3B5D00249DFDB10CF9AD984ADEBBF9FB48320F14841AE914A3250D375A954CF65

Function 0080BDD8 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0080BDA6

Memory Dump Source

Source File: 0000000B.00000002.2276500616.0000000000800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_800000_FTlLqTRGrXZr.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 996792c31b9ca86dfd1c17c2f93d37e9014785a3028145f2863e09f03299c84c
Instruction ID: 0ec9c8af1807b1246832c23293035a9354aa99d83fd4594d451ea184ee57a22a
Opcode Fuzzy Hash: 996792c31b9ca86dfd1c17c2f93d37e9014785a3028145f2863e09f03299c84c
Instruction Fuzzy Hash: 4811C1726042458FD7519BAADC007AABBF9FFC5320F0484AAD544D7292CB749845CBA1

Function 0691F788 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0691F7FE

Memory Dump Source

Source File: 0000000B.00000002.2282880348.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6910000_FTlLqTRGrXZr.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b57b2e58bae39552b844c02c97f019e8c9ad6f3a215ff5791d61150509d6922b
Instruction ID: e95df523347ddfaf82493efa4178bf69a4116210f2883acd4e589167c264d32d
Opcode Fuzzy Hash: b57b2e58bae39552b844c02c97f019e8c9ad6f3a215ff5791d61150509d6922b
Instruction Fuzzy Hash: 22111A71C003499FDB10CFAAD8457DEBBF5AF88320F248519E51AA7250C7759550CFA5

Function 0691F790 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0691F7FE

Memory Dump Source

Source File: 0000000B.00000002.2282880348.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6910000_FTlLqTRGrXZr.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3cbfc416042e808cac406942e4cdc206bbba8641eddf43f41251a744090de271
Instruction ID: 634236efa16ba0361c336eb846a0f4f236ca8f0bf45cc9b24e2f83de5eb53b47
Opcode Fuzzy Hash: 3cbfc416042e808cac406942e4cdc206bbba8641eddf43f41251a744090de271
Instruction Fuzzy Hash: DE112672C003499FDB10DFAAC845BDEBBF5AF88720F248419E51AA7250C775A950CBA5

Function 0691F600 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0691F66A

Memory Dump Source

Source File: 0000000B.00000002.2282880348.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6910000_FTlLqTRGrXZr.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ed99e389fcf6d54a966f1d92728db4274b5804c3878dc4113f6a07399b55ebd8
Instruction ID: 6ff9975e97dabdf7a30f695ac281bd7b20508cb56e6dbbc0ed448cee3d62de93
Opcode Fuzzy Hash: ed99e389fcf6d54a966f1d92728db4274b5804c3878dc4113f6a07399b55ebd8
Instruction Fuzzy Hash: A01134B1D003498FDB20CFAAC8457AEBBF4AF88724F24841ED55AA7250CB756904CBA4

Function 0691F608 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0691F66A

Memory Dump Source

Source File: 0000000B.00000002.2282880348.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6910000_FTlLqTRGrXZr.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: edb09f9165d2115a0e8fb07c4ad3ffab1c0c004acb5f71c01356e22681bc7761
Instruction ID: 2194e04b8407e59487d6a6bd61fb91a24d218c712b6e341289c4684ba740e027
Opcode Fuzzy Hash: edb09f9165d2115a0e8fb07c4ad3ffab1c0c004acb5f71c01356e22681bc7761
Instruction Fuzzy Hash: 1A113AB1D0074D8FDB20DFAAC84579EFBF4AF88724F248419D519A7240CB756944CBA5

Function 0080BD40 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0080BDA6

Memory Dump Source

Source File: 0000000B.00000002.2276500616.0000000000800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_800000_FTlLqTRGrXZr.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1fbf1398ab9a3ee86312c42945a7344bb6108795cd967ba5cb684c8ba135e7f9
Instruction ID: 425cfadd5239d83cea04425e80cbbf2f97cc79a10d881e0e3e5c7676c247c554
Opcode Fuzzy Hash: 1fbf1398ab9a3ee86312c42945a7344bb6108795cd967ba5cb684c8ba135e7f9
Instruction Fuzzy Hash: 1D1102B5C002498FDB10CF9AC844ADEFBF4FF88320F14841AD819A7240D375A945CFA1

Function 0068D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276143599.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_68d000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b496af812b6a76b6a868a0005ee83f569c38a612d2c4fede47b703dac2a590
Instruction ID: 1b3cfacf3802b0d407ac621fc02d4d507bcb8db3b998ab463ab505749cc0eb4e
Opcode Fuzzy Hash: d2b496af812b6a76b6a868a0005ee83f569c38a612d2c4fede47b703dac2a590
Instruction Fuzzy Hash: 342128B2504240EFDB15EF14D9C0F26BF66FB84318F20C66AD9090B296C336D856CBB2

Function 0068D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276143599.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_68d000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32161d8f5c0d16131fad5577e13f08f7ac557128b4a84dc3cddee9e316ea803c
Instruction ID: 6b58903dbccaa7301d5907177b83128285794dd8f7e4a8f124222c6c873860f1
Opcode Fuzzy Hash: 32161d8f5c0d16131fad5577e13f08f7ac557128b4a84dc3cddee9e316ea803c
Instruction Fuzzy Hash: F0210875504204EFDB04EF14D5C0B1ABFA6FB94324F20C269D9090B296C376E856CBB1

Function 006AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276264930.00000000006AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6ad000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd96107c131ad57b453ce9900bc0ce9a5080c2f1ad69f58ea34b84d9986212a
Instruction ID: 6a1d67592165401745ca95ee2da02cfb21d568ea5d8023412d21dfc751bd654d
Opcode Fuzzy Hash: 6cd96107c131ad57b453ce9900bc0ce9a5080c2f1ad69f58ea34b84d9986212a
Instruction Fuzzy Hash: ED210075604200EFCB14EF24D980B26BBA2EB89314F20C56DD90A4B792C77ADC47CE61

Function 006AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276264930.00000000006AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6ad000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceeb833b180944a84c683407e4bccc582137acd3a9994870785ca185cba86da4
Instruction ID: 381a9c804e00d18a4983caab16da4ead82bc425875948ee3ccc77c0f109dbbf8
Opcode Fuzzy Hash: ceeb833b180944a84c683407e4bccc582137acd3a9994870785ca185cba86da4
Instruction Fuzzy Hash: 79213475504200EFDB04EF10D9C0B2ABBA2FB85314F20C5ADEA0A4B792C77ADC06CE61

Function 006AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276264930.00000000006AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6ad000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96fa661d1381780b36293c295374e765ff33f5fced15650cbce84a8afe74a00f
Instruction ID: 3b7623bece1d3117c9e3186aafbabe5c10cafec876bd0aa367b82906543a44c6
Opcode Fuzzy Hash: 96fa661d1381780b36293c295374e765ff33f5fced15650cbce84a8afe74a00f
Instruction Fuzzy Hash: C72180755083809FCB02DF14D994B11BF71EB46314F28C5DAD8498F6A7C33A9C06CB62

Function 0068D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276143599.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_68d000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: bf4e24d6fbdaef3ff46e3eb8c79dfe80ed7bbfb9f501bb497f3e19b7d7721d71
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 7F11E6B6504280DFCB15DF10D5C4B5ABF72FB94318F24C6AAD8490B756C33AD856CBA2

Function 0068D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276143599.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_68d000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: f9bc490035ae35c9fe1a2b5e4814e81a4c89529a72660e8d88941d9c6151459e
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 7A11D676504244DFCB15DF10D5C4B56BFB2FB94314F24C6A9D8090B756C33AD456CBA1

Function 006AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276264930.00000000006AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6ad000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: b3b83a987fb22cfe445336c481bc57d923fbc7a638c30f4a267576938895674a
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: B111BB75504280DFCB01DF10C5C4B55BBA2FB85314F24C6A9D94A4B7A6C33AD80ACF61

Function 0068D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276143599.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_68d000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1368b16f54bac1e4becdf70e63640489594898c98025778d6ba6268de16c5d5c
Instruction ID: 4c19e1b2c287c9fbcf1e0851be4d0cae86a49719e2f8b18eb63398aad8fc1d42
Opcode Fuzzy Hash: 1368b16f54bac1e4becdf70e63640489594898c98025778d6ba6268de16c5d5c
Instruction Fuzzy Hash: 7E012671404384AAF7206F25CD84B67BF98DF41364F18C61AEE091F2C2C7B99841CBB1

Function 0068D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2276143599.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_68d000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d335456636c90ad507f7ccda229dae86b093c31a93091457cdc80b26b6915119
Instruction ID: 5564b20d2f37bf942ea3a3e2c7053d8c1a06eed20b935f565c5fd5666b149a44
Opcode Fuzzy Hash: d335456636c90ad507f7ccda229dae86b093c31a93091457cdc80b26b6915119
Instruction Fuzzy Hash: A9F0C2714043449AE7109E16CC88B62FF98EB81734F18C15AED481B2C6C3799844CBB1

Analysis Process: FTlLqTRGrXZr.exePID: 7344, Parent PID: 6320COMMON

Executed Functions

Function 01069858 Relevance: .9, Instructions: 858COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 744cf815fdc8b02eec1b0186f49591b6fe71c3375af2a75711e48df29b9c03a4
Instruction ID: d576a0e1823dbee8a8dbfc4b95f48bc667e8f46146656bb00873d5acda2a2886
Opcode Fuzzy Hash: 744cf815fdc8b02eec1b0186f49591b6fe71c3375af2a75711e48df29b9c03a4
Instruction Fuzzy Hash: 9772C330B00209CFCB15DF68C984AAEBBF6FF88314F158559E985AB7A1D735E941CB50

Function 01066108 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005f9a090d2d05e11786be74145c03fd0a3e91a46608ffc64641c67f7da32b2c
Instruction ID: 82ae4f16eee3f4d535a781701ca0f972653a51a70a9892154fffcb23d048110c
Opcode Fuzzy Hash: 005f9a090d2d05e11786be74145c03fd0a3e91a46608ffc64641c67f7da32b2c
Instruction Fuzzy Hash: 2D12AC70A002199FDB18DFA9C854AAEBBF6BFC8300F148569E589DB391DF359D41CB80

Function 01066730 Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47a8dd73b721b375ad10b00d8d15cffa72cf53abd2c193a3cccab48d39f8180f
Instruction ID: 3cf9bf99b9a602d9c5adceb70d8d1165dd4fcc282de7ce91ddb15705cb5890c0
Opcode Fuzzy Hash: 47a8dd73b721b375ad10b00d8d15cffa72cf53abd2c193a3cccab48d39f8180f
Instruction Fuzzy Hash: 63029170A00209DFDB55CF69C984AADBBFAFF88310F1480AAE585AB265D736DD41CF50

Function 01063572 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a8509c27b1171278aa0d26eed91dd65d97e953dca96d93cf58a467310108fb
Instruction ID: 046ecb710e48868140ed95c9a7ee139ef7cedc10b89a4d3c8aec879d2e975605
Opcode Fuzzy Hash: d3a8509c27b1171278aa0d26eed91dd65d97e953dca96d93cf58a467310108fb
Instruction Fuzzy Hash: F1F16A34E013489FDB08EFB5D8545AEBBB6BFC8700B14856EE446EB354DB359842CB90

Function 0106B328 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f902750fb10a11d3800e08ecbe0f1dade0d3d5d26997fd89ee6bdab30b6671
Instruction ID: c3a5276bae724e53ee5e5b6a73a72fe576cb0e08fcf1383ac09ed20fa4001062
Opcode Fuzzy Hash: b7f902750fb10a11d3800e08ecbe0f1dade0d3d5d26997fd89ee6bdab30b6671
Instruction Fuzzy Hash: 23E1F6B4A00258DFDB14DFA9C984A9DBBF5BF48300F1580A9E949EB362DB30ED41CB50

Function 05738A10 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c0504e12517255708f6cd5dfaa017c3c3792a21bab2059332cf9256e7eaa0c
Instruction ID: 3d26c749cb3ed1c3289bcbcc9c5e87e60a1a01f6db80088a015c98768d87158e
Opcode Fuzzy Hash: 97c0504e12517255708f6cd5dfaa017c3c3792a21bab2059332cf9256e7eaa0c
Instruction Fuzzy Hash: 82E1E074E01218CFEB24DFA5C984B9DBBB2BF89300F2081A9D409A7395DB755E85CF11

Function 0573BD40 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de66d1eb412143ea73ce5ac29e012ff67b0441628ce6e2d33f13481923864f6b
Instruction ID: 7ebcb67e4933768ebc1bc803fddfd6cbcb08e6025f9f686cbdd6593588116082
Opcode Fuzzy Hash: de66d1eb412143ea73ce5ac29e012ff67b0441628ce6e2d33f13481923864f6b
Instruction Fuzzy Hash: 1FA1A274E012288FEB28CF6AC945B9DBAF2BF89300F14D1AAD40DB7255DB745A85CF11

Function 0573C9E0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e240b6496a37a1a76381994c7600a3534252fee7e67d5951481bfabc39c80c
Instruction ID: 2b7a1a387eb7a41f3fc620890e9d617c2d657083f1a63d2a3f6d51d8b6c48b72
Opcode Fuzzy Hash: 01e240b6496a37a1a76381994c7600a3534252fee7e67d5951481bfabc39c80c
Instruction Fuzzy Hash: 8CA19174E012288FEB28CF6AC945B9DBAF2BF89310F14C1AAD409B7255DB745A85CF11

Function 0573A410 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247ee1169f3f7f9f1ec52190acc573d596cc1da561266268e6b1083b38ddb6a5
Instruction ID: c0d8a84da3570fc5f7f21be265f29061f2d821bd4755937748f3040f7793a275
Opcode Fuzzy Hash: 247ee1169f3f7f9f1ec52190acc573d596cc1da561266268e6b1083b38ddb6a5
Instruction Fuzzy Hash: 76A19175E01228CFEB28CF6AC945B9DBAF2BF89310F14C1AAD449A7255DB345A85CF10

Function 0573C390 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d9c44a73e6b5e7ed5b1c05af05b250abf410ebd200e2a8e4d20c42f4177f12
Instruction ID: 777a777603325f12d410b4b7a9e224a378490d987d086b42b71dc242ecfbf958
Opcode Fuzzy Hash: 53d9c44a73e6b5e7ed5b1c05af05b250abf410ebd200e2a8e4d20c42f4177f12
Instruction Fuzzy Hash: ACA1A175E01228CFEB28CF6AC945B9DBAF2BF89300F14C1AAD409B7255DB745A85CF10

Function 0573D678 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb615600db4e1f568d03290f7a4200d325e84328c46c2a74597b046c07d35133
Instruction ID: bdbd1185078814073007dff216fecbfc9190f70107628d4ded03120acaa5007b
Opcode Fuzzy Hash: bb615600db4e1f568d03290f7a4200d325e84328c46c2a74597b046c07d35133
Instruction Fuzzy Hash: F5A1A174E01228CFEB28DF6AC945B9DBAF2BF89310F14C1AAD40DA7255DB745A85CF10

Function 0573B6F0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572f68eaab6834bae35642c79150802ea764fe83f402e20a53e56238210251fb
Instruction ID: 300614fc64d5311470cb9e507cbcee6e0db9d6b2f4dfc203ef3721f66878b204
Opcode Fuzzy Hash: 572f68eaab6834bae35642c79150802ea764fe83f402e20a53e56238210251fb
Instruction Fuzzy Hash: F3A19074E01228CFEB28CF6AC945B9DBAF2BF89300F14C1AAD40DA7255DB745A85CF50

Function 0573D030 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f211491ef954ecc9bfce1af8dc918e3fe58ea149d43796f50f5e37bef589242
Instruction ID: b9b7c9a6092f359719fbbe000fba10045fc45123e6413052e18bde1c5d9d1919
Opcode Fuzzy Hash: 2f211491ef954ecc9bfce1af8dc918e3fe58ea149d43796f50f5e37bef589242
Instruction Fuzzy Hash: E9A19274E012188FEB28CF6AC945B9DBBF2BF89310F14C1AAD40DA7255DB745A85CF11

Function 0573B0A8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2e27c21a132fb33523d6ef8ba9c7d66ddc11fc3af4449d101e72a9ae53aa80
Instruction ID: 9061296e80b7d86bf3555508ad17313d29a03e86cee38a69847db51c6b52f734
Opcode Fuzzy Hash: ac2e27c21a132fb33523d6ef8ba9c7d66ddc11fc3af4449d101e72a9ae53aa80
Instruction Fuzzy Hash: 59A1AF74E012288FEB28CF6AC945B9DFAF2BF89310F14C1AAD40DA7255DB705A85CF11

Function 0573AA60 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8621ab161bded3e5fd67412135c3c4fb508a3d75b70d687043547825fcf99a0a
Instruction ID: d9ee750622d88170aba073ab560124e6b3f4ae74faa308284d895abf38d004a4
Opcode Fuzzy Hash: 8621ab161bded3e5fd67412135c3c4fb508a3d75b70d687043547825fcf99a0a
Instruction Fuzzy Hash: A7A1A174E012288FEB28CF6AC945B9DBBF2BF89300F14C1AAD44DA7255DB745A85CF50

Function 0106F007 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f71a380fea75de1ca342bb4e4c82325d6ce273c869e96d51eace7c2d6d7e362
Instruction ID: 97b7602ef71fdda6f567e52b827fe6d2f7ce5b65720b018f8e1fdbbab219363a
Opcode Fuzzy Hash: 6f71a380fea75de1ca342bb4e4c82325d6ce273c869e96d51eace7c2d6d7e362
Instruction Fuzzy Hash: 5881D275E01219CFDB64DF6AD9947DDBBF6BF89300F1490AAD408AB254DB359A81CF00

Function 0106BEB2 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef588f6f94d9b72db02d046cc6afd9870d8f0f81ca82d10a9dd4e35253ddbb91
Instruction ID: b005edd7e6ca1c10e6637303dfc9a269da1edd19206815ca69bd0dbc52c86f96
Opcode Fuzzy Hash: ef588f6f94d9b72db02d046cc6afd9870d8f0f81ca82d10a9dd4e35253ddbb91
Instruction Fuzzy Hash: 5C91D574E00248CFEB54DFA9D994A9DBBF2BF89300F14C069E449AB365DB709986CF10

Function 0106C752 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc3d2a3d76fda5d3c5adee1c28fecce21f4d5d9cf4542a835b1ffba3348faab6
Instruction ID: 63c15be99f69c091187e2df96eaa42bf3f05f7e7c21d5c8ae24f0b02fcbd9aad
Opcode Fuzzy Hash: fc3d2a3d76fda5d3c5adee1c28fecce21f4d5d9cf4542a835b1ffba3348faab6
Instruction Fuzzy Hash: A081D574E00218DFEB54DFAAD984A9DBBF2BF89310F14C069E449AB365DB709981CF50

Function 0106C190 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c9ff4a8ac1bcd03b36b509c2ac05e677c9ef9d6c4247ded1f97c02a57d9104
Instruction ID: e254f8e4a5011c08f6aeb8053a0fa293faae908fd1c4e1c7474358fde112e946
Opcode Fuzzy Hash: 45c9ff4a8ac1bcd03b36b509c2ac05e677c9ef9d6c4247ded1f97c02a57d9104
Instruction Fuzzy Hash: 2681D574E00218DFEB54DFAAD984A9DBBF2BF89300F14C069E449AB365DB709981CF50

Function 05739059 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0d4ced77e534e6194d5e5bdb77143f2c3cc8271af0e8c82ff610f5298d61153
Instruction ID: b6a7f447a2946298923fa5c1a760c2ed514362f6b87655f1387fc2ce35e413a3
Opcode Fuzzy Hash: e0d4ced77e534e6194d5e5bdb77143f2c3cc8271af0e8c82ff610f5298d61153
Instruction Fuzzy Hash: 3C81E074E00218CFDB58DFAAD884BADBBF2BF89300F20816AD419AB395DB705945CF50

Function 0106CA32 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ace2df2231cbad2f0f348d412213f81eddfe75a3f8c5082c78620d86b40221
Instruction ID: ccf859ec1c6b8d31b7bde1c675c884bca8b145a934ed95d40813774f1ef0076d
Opcode Fuzzy Hash: 70ace2df2231cbad2f0f348d412213f81eddfe75a3f8c5082c78620d86b40221
Instruction Fuzzy Hash: 0181E474E00218CFEB58DFAAD984A9DBBF2BF88310F14D069E449AB365DB309941CF10

Function 0106C473 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48efa5772aa0cdb57c127581014e81e200057221ce9ad487c1cc8f7313603ee8
Instruction ID: 697c5619c6b9115d5ef214de341fd962716831a18bfaa0c464cc8f2e45d1f990
Opcode Fuzzy Hash: 48efa5772aa0cdb57c127581014e81e200057221ce9ad487c1cc8f7313603ee8
Instruction Fuzzy Hash: 3481D374E00258DFEB54DFAAD984A9DBBF2BF88300F14D069E449AB365DB709981CF11

Function 01064AD9 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0051c508e68a2a39cb63013a5985ca6620d552061db201b862eb718d273ba63
Instruction ID: 2120562491c6fe6eef56befe1bbe37ae8e3dce04bdfb27fc5cdc779a8dabf573
Opcode Fuzzy Hash: c0051c508e68a2a39cb63013a5985ca6620d552061db201b862eb718d273ba63
Instruction Fuzzy Hash: 0281D274E00258DFDB58DFA9D994A9DBBF2BF88310F14C069E849AB365DB709981CF10

Function 0573B097 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b897a3fad2b08218381a236de4bd3308b230319311c1592fb923df3764f1d38d
Instruction ID: 7261a98aadbb840846cb322c06b0ad083775f13e6189e264696961752cd10fe3
Opcode Fuzzy Hash: b897a3fad2b08218381a236de4bd3308b230319311c1592fb923df3764f1d38d
Instruction Fuzzy Hash: 0181A571E01668CFEB28CF6AC945B9DBAF2AF89300F14C0EAD50DA7255DB304A85CF51

Function 0573D020 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 303dafd664caaded7372ec2f7151ffd850871267789390005a8cfbe8686228eb
Instruction ID: 62fe84bf74fccff3c36fd4807116b94880e1a8273f84d08b4ac98535d57a0ed6
Opcode Fuzzy Hash: 303dafd664caaded7372ec2f7151ffd850871267789390005a8cfbe8686228eb
Instruction Fuzzy Hash: E87193B1E01618CFEB68CF6AC945B9DBBF2AF89300F14C1AAD40DA7255DB344A85CF11

Function 0106B4F2 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703d858a9197ad8214a22c784c883932907c971834167638932c4e3bb09385b8
Instruction ID: 554eeadd2e8e6e3c1616a7bbbaaf2769834217a5d68f0db770981111891d475e
Opcode Fuzzy Hash: 703d858a9197ad8214a22c784c883932907c971834167638932c4e3bb09385b8
Instruction Fuzzy Hash: 6561E4B4E006489FDB18DFAAD944A9DBBF6FF89300F14C069E458AB365EB345942CF50

Function 0573AA57 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffee8d2c3c9129e71b9253d68ffdd52a821ec4c51b8b9ece6e0715533323846e
Instruction ID: d01a812d5af3d9bee01d405b91007362224161c08ad362757973eace6a9a87c2
Opcode Fuzzy Hash: ffee8d2c3c9129e71b9253d68ffdd52a821ec4c51b8b9ece6e0715533323846e
Instruction Fuzzy Hash: 10718671E01618CFEB68CF6AC945B9DFAF2AF89300F14C0AAD50DA7255DB344A85CF51

Function 05738A04 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320a2a0233a43b9fc5e9563b5e213ef7925802dbba774cb65d6679e62291e56e
Instruction ID: d6b4a8c6e3b1a481d5649583ae1e9efea37737a008676588fd69da73a43fedaf
Opcode Fuzzy Hash: 320a2a0233a43b9fc5e9563b5e213ef7925802dbba774cb65d6679e62291e56e
Instruction Fuzzy Hash: 1441E2B0E012088BEB18DFAAC8447DEBBF2BF88310F24C16AD458BB254DB754946CF14

Function 0573C9D0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8817a3898be9a283c0564adcfbfee50fb1dda22d126338f17cf221e792d7812f
Instruction ID: 64364d4c4c689fa732024506e37ce1dd0f8703b3a9da4eb933da413acd7258ef
Opcode Fuzzy Hash: 8817a3898be9a283c0564adcfbfee50fb1dda22d126338f17cf221e792d7812f
Instruction Fuzzy Hash: E04189B1E016188BEB58CF6BCD45789FAF3AFC9310F14C1BAC50CA6265DB740A858F51

Function 0573A400 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dbca7563c66bad4ef4128974bca159bd9526ec8ae8534b8f29ec627bd085fff
Instruction ID: 7e9e7b0637ef974bf525571d4ed08d2813fcc6e8bca80c06f71738b0da327fd0
Opcode Fuzzy Hash: 5dbca7563c66bad4ef4128974bca159bd9526ec8ae8534b8f29ec627bd085fff
Instruction Fuzzy Hash: 054158B1E016188BEB58DF6BC94578AFAF3BFC8310F14C1AAC50CA6265DB750A858F51

Function 0573BD30 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6a7a9829d4fd9299cdc135853b2d9703ceeb1c5cd064572e4f6b7cdbf25f80
Instruction ID: 281f9cc14b791fe167bba55af1734a663e1f3193b1477917c50fc81967c225d6
Opcode Fuzzy Hash: af6a7a9829d4fd9299cdc135853b2d9703ceeb1c5cd064572e4f6b7cdbf25f80
Instruction Fuzzy Hash: 064159B1E016188FEB58CF6BD945799FAF3BFC8310F04C1AAC50CA6255EB740A858F51

Function 0573C380 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f710eddbad613c0e7d83c1700250073a63b47a021205a308d6a1e4c5c53bc602
Instruction ID: 86aec14125d86ed19bee17e4967176fed64965276b4bb7b0f3bfb970f07d7ca1
Opcode Fuzzy Hash: f710eddbad613c0e7d83c1700250073a63b47a021205a308d6a1e4c5c53bc602
Instruction Fuzzy Hash: 8B4168B1E016188BEB58CF6BD9457CAFAF3AFC8300F04C1AAD50CA6254EB740A858F51

Function 0573D66B Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a3c220888e8a63e5bf162832014c9c5a05ab85eb0d08ef19461ea23e653e44
Instruction ID: da160bfe0873affed8c5b4c209510735f21cfd0888d7afdc4af184f554a1b383
Opcode Fuzzy Hash: 54a3c220888e8a63e5bf162832014c9c5a05ab85eb0d08ef19461ea23e653e44
Instruction Fuzzy Hash: 244159B1E016188BEB58CF6BDD4578AFAF3AFC8310F14C1AAC50CA6255EB740A858F51

Function 0573B6E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d77c331e0924e82b28066aa604c6703f417a319d5edd0924035b5c667d5525d9
Instruction ID: 16262ed25204b810066095c6604c2f571a77eedfb53da8dfe103700e61c98aa8
Opcode Fuzzy Hash: d77c331e0924e82b28066aa604c6703f417a319d5edd0924035b5c667d5525d9
Instruction Fuzzy Hash: 0A4169B1E016188FEB58CF6BC9457CAFAF3AFC8310F14C1AAD50CA6265DB740A858F51

Function 01062150 Relevance: .9, Instructions: 900COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3adbe2bdb22d8c5109e8bd085431f376254f1a9398e1b52618f661e604dafb00
Instruction ID: a65b820f2e3146ddef4eb12b75bcca2900cef027a72311722d68896a62127222
Opcode Fuzzy Hash: 3adbe2bdb22d8c5109e8bd085431f376254f1a9398e1b52618f661e604dafb00
Instruction Fuzzy Hash: 8162FA30C163269BCF68CF348D855BB7BB4AF49260B28876EF5C9E5245E2394B60C7D1

Function 010677F0 Relevance: .7, Instructions: 702COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c27254746f70746116443f4e605894d929bd1c580570328a99267d3f93b219d
Instruction ID: df410b89d2cbfd46ff9447b20e5820a2de2ef4f1ebd0b245d94546e0a971d98f
Opcode Fuzzy Hash: 7c27254746f70746116443f4e605894d929bd1c580570328a99267d3f93b219d
Instruction Fuzzy Hash: 46526474A00259CFEB549BE4C860BAEBB72FF85300F1081A9D24A6B356DF345D85DF61

Function 01066E58 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bf37e1858cba92fae2ea882e5ced8410ecf05a3140252d5e1534c5ef241083a
Instruction ID: d55d6c2038e4e86387a0982ebe2296241c152ce6511df4f9fc670c3301399862
Opcode Fuzzy Hash: 7bf37e1858cba92fae2ea882e5ced8410ecf05a3140252d5e1534c5ef241083a
Instruction Fuzzy Hash: 97126B30A00249CFDB15DF69C884AAEBBF6FF88318F158599E985DB261DB31ED41CB50

Function 0106A818 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9faa77a805eec64b691a2fd0c16b3a2854ce9a4e12c9e66c5f8c16c9a3d1d1
Instruction ID: 2ca5669f5fd208bd00ad67a67aaff9d621257ce497b203d3985fa114234b73b8
Opcode Fuzzy Hash: be9faa77a805eec64b691a2fd0c16b3a2854ce9a4e12c9e66c5f8c16c9a3d1d1
Instruction Fuzzy Hash: 4AF11B75B00215CFCB05DFACC9849ADBBFABF88310B1A8599E555AB362CB35EC41CB50

Function 01060C8F Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff20cba9ec58ad7767d65b5aa0e74d00e5d4fa08a2079a3d4e2b141a506bc87
Instruction ID: bdbf51728764a87112485008bd9100d9dece03ac41ea57f1b62b7ddc7552f302
Opcode Fuzzy Hash: aff20cba9ec58ad7767d65b5aa0e74d00e5d4fa08a2079a3d4e2b141a506bc87
Instruction Fuzzy Hash: 62224D7490121ACFCB54EF28E994B8DBBB1FF88314F1085AAD849AB719EB305E45CF50

Function 01060CA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dff52019ea6133b09f5f487a69f325e1938abc6d43e7a2ff7ce4e903a5b9709
Instruction ID: 29a05c6131804c23adb1bd40fa3a86d4060c5e17df2239fcb821d99fa92433ec
Opcode Fuzzy Hash: 4dff52019ea6133b09f5f487a69f325e1938abc6d43e7a2ff7ce4e903a5b9709
Instruction Fuzzy Hash: 61224C7490121ACFCB54EF68E994B8DBBB1FF88315F1085AAD849AB718EB305E45CF50

Function 010687E9 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb547255aeffc08bf837784ae993df87abe19ec65867c9a4cbc53b4748247ce
Instruction ID: f6b272d9bb0e36b6703ff24623b6a849fc388e4f112534bb48838701523790b6
Opcode Fuzzy Hash: 4eb547255aeffc08bf837784ae993df87abe19ec65867c9a4cbc53b4748247ce
Instruction Fuzzy Hash: D4B141703147018FEB599B2DC958B3D3ADEEF85604F1894ABE682DF3A1EA29CC41C751

Function 010656A8 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6267d2017f1a7e327495ac5b45394ac3785223191ef0f145106be79c16be8769
Instruction ID: ab3c1e402ebf1441d0a8556efa1c0eea27cfd5063e62bb272d509a40fcb32c27
Opcode Fuzzy Hash: 6267d2017f1a7e327495ac5b45394ac3785223191ef0f145106be79c16be8769
Instruction Fuzzy Hash: 5B91BE307042448FDB66AF68D858B7E7BE6BFC9340F14846AE5868B796DF398C01C791

Function 01065C08 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb13664a6c32cf60dabcffc8f4abc460a7be11f85e1b56972f993e7c6ff911e2
Instruction ID: fd059b917d5502b6531e9d4957e7af856608463ff47944781f705c22adfbaf85
Opcode Fuzzy Hash: cb13664a6c32cf60dabcffc8f4abc460a7be11f85e1b56972f993e7c6ff911e2
Instruction Fuzzy Hash: 9081A130A00509CFCB58DF6DCC8896DBBFABF89390B1481A9D545DB3A5DB31D842CB90

Function 05739918 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4995014df81ebf18ff5839a10a28af8b9128cfe7f43c7b79f7ce39372de28761
Instruction ID: dbcbb85b47f1a9a4c9b661115234954d8674d72abe2873cf49d6a77d003106bb
Opcode Fuzzy Hash: 4995014df81ebf18ff5839a10a28af8b9128cfe7f43c7b79f7ce39372de28761
Instruction Fuzzy Hash: C271E631F002199BDB19DFB8C855AAEBBB2AFC8710F14412AE506B7381DF749D42DB91

Function 01067438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db189700b9d7b0c0018f25af7a11e872a2cd011454d38bc48ef89cd0cff4ffff
Instruction ID: 45dd49eb0547fb4d89a5a0d32007895e04f86b89fc6561516f3f8bbcabf8ee7b
Opcode Fuzzy Hash: db189700b9d7b0c0018f25af7a11e872a2cd011454d38bc48ef89cd0cff4ffff
Instruction Fuzzy Hash: FF7139307002458FDB65DF2CC898AAD7BE9AF49618F1500E9E986CB3B1DB75DC41CB91

Function 0106CEC7 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6302dfcbc3a66e64c032c8dcd32a5f3a88c75be92d2a72e7bbdce75f6452707b
Instruction ID: 698156be6b5f0c8838146f4fe553b02129bc5a9e2a2fae2c8daa38222b0124b0
Opcode Fuzzy Hash: 6302dfcbc3a66e64c032c8dcd32a5f3a88c75be92d2a72e7bbdce75f6452707b
Instruction Fuzzy Hash: A051B1300297468FD6243BA4B5AC66F7BA1FB1F327700BE04A8CEC11A9CF7A54458F24

Function 0106CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e1e1c7150949be26037fa7b35ffcae4c7168256d622dd3c53bb384de8b2e471
Instruction ID: c6692409e45fa9b802b8756324c6220f13281154907ec85c1d6b86b9efdf9a50
Opcode Fuzzy Hash: 9e1e1c7150949be26037fa7b35ffcae4c7168256d622dd3c53bb384de8b2e471
Instruction Fuzzy Hash: 9751AF300297068FD6243BA4B5AC66F7BA5FB1F327740BE00A9CEC11A9CF7A54548F24

Function 0106E2D9 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5652b3b33e6082993a382ef5af077bc4d680be0ae7fb3955e3444c6b691b0fed
Instruction ID: c2b41ab814bc127769482047189f6815ae1e09e971cfc359507aea3b392c7d57
Opcode Fuzzy Hash: 5652b3b33e6082993a382ef5af077bc4d680be0ae7fb3955e3444c6b691b0fed
Instruction Fuzzy Hash: 23611174E01218DFDB14DFE4D854AADBBB2FF88304F208529D849AB396DB765945CF40

Function 0106CD10 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a742b67de6f8fd4b9bf42bd43a4befff54e6d2435d851d0188955e5b71109434
Instruction ID: 0b367e12a27b7013605a91fac75efca90bd79b98692f2d432e2618c5f5c4f888
Opcode Fuzzy Hash: a742b67de6f8fd4b9bf42bd43a4befff54e6d2435d851d0188955e5b71109434
Instruction Fuzzy Hash: 27519474E01208DFDB48DFAAD9849DDBBF2BF89300F248169E519AB365DB31A901CF50

Function 0573DCC8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e2c1f9aa73dc5c3859094f5862e03219f4f3585eb2ae3c97c48633f87142f1
Instruction ID: c11bc20231b4da266ca684653a3cb2eb9225d224a6f61f9069bb0bf555a541c0
Opcode Fuzzy Hash: 49e2c1f9aa73dc5c3859094f5862e03219f4f3585eb2ae3c97c48633f87142f1
Instruction Fuzzy Hash: 74415B3590631ACFD704AFB0E46C7EE7BB1FB49316F104929D546A32A5CB780A48CF60

Function 01063908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca2d9e4da61f5bffd8430cf15ada3526ac85bbaf78644c93f94dd6d7478d76f
Instruction ID: c32f1ea15ad17dfe2fb6a9b4e2cce6f30601d8056f7ce178cbf2ffed8ea043ff
Opcode Fuzzy Hash: aca2d9e4da61f5bffd8430cf15ada3526ac85bbaf78644c93f94dd6d7478d76f
Instruction Fuzzy Hash: 3F51B674E01248CFCB48DFA9D99499DBBF2FF89315B208569E815AB324DB31AD42CF50

Function 01069A63 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e6e57df32ba97e613115bd82c81eda7bf50a5b2e5e3797bde66fbab7ba921e
Instruction ID: 96f24ef4052125e02e1f53ded1400e3da6bdbc8444e03ba4ab42be9ddab23d9d
Opcode Fuzzy Hash: 58e6e57df32ba97e613115bd82c81eda7bf50a5b2e5e3797bde66fbab7ba921e
Instruction Fuzzy Hash: 1C51E631A04249DFCF12CFA8C844A9DBFF6EF49318F048596E9819F696D335D914CB90

Function 0106A650 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a051c18e544226aee4b090b45dcf365e72d17b87708d1ff77638e08659b25c2
Instruction ID: 48ef16d2aca5f78336ec45df14428742f1d42f5d4001438c5e75a0f0a1325ac6
Opcode Fuzzy Hash: 6a051c18e544226aee4b090b45dcf365e72d17b87708d1ff77638e08659b25c2
Instruction Fuzzy Hash: 6741F2357042049FCB19AB68D804AAE7BF6BFC9710F1484A9E686E7391DE369C01C790

Function 05739908 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64aece9763d6abfb9c1efb921eaa280ddfadb52172fa177f6006643853d94d8
Instruction ID: 788901273c57218c33d685dc51b876805dc53752e3feb726da1d23f27fd84bfd
Opcode Fuzzy Hash: c64aece9763d6abfb9c1efb921eaa280ddfadb52172fa177f6006643853d94d8
Instruction Fuzzy Hash: 6D416231E10219DBDB14DFA5C881ADEB7B6BF88710F148229E512B7341EB70AD45DB90

Function 05739E51 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc3d295fa5e459df92ca75a31736b41f2c10651968117617a52c5d7e5cf76818
Instruction ID: c2e9f13131c1d1e8ec58e40ce7d7ffadd28286ac96a9d52a30691a32713c2716
Opcode Fuzzy Hash: fc3d295fa5e459df92ca75a31736b41f2c10651968117617a52c5d7e5cf76818
Instruction Fuzzy Hash: 1541DFB8D01219CFDB04EFA5D598BEDBBF2BF48314F20912AD805A7298EB745A45CF50

Function 0106D7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a6904dd25b92870e63c5d09781237274a0434facb7698e2888dc2b30105548
Instruction ID: 594234dcba400818f0703bb9cf7eab8b10d0f0c715913f9ad2feb1c8d3eb9ab4
Opcode Fuzzy Hash: 60a6904dd25b92870e63c5d09781237274a0434facb7698e2888dc2b30105548
Instruction Fuzzy Hash: DF415774E04248CFCB14DFE8D494AEDBBBAFB49304F209119D0CAAB255E7799842CF25

Function 0106D7EB Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca484f6204f2d458ab4ef715a8d71b4adfc1d05a0d58dafc899fa20d3eaaa3c9
Instruction ID: e77a18c59609a84edcba4638f718b99a5630258402bf779dafdf0215630ffeac
Opcode Fuzzy Hash: ca484f6204f2d458ab4ef715a8d71b4adfc1d05a0d58dafc899fa20d3eaaa3c9
Instruction Fuzzy Hash: 48417670E04248CFCB00EFE8D884AEDBBBAFB49304F109219D4C9A7255E7799842CF25

Function 05739E60 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce5ac11526cec9a97961a4bc16748259dd2bd8eb71e90f4cd14551b7d829d5f
Instruction ID: 79ae2ab743fcdc126023a2f6710c92f09f8a21d2e185cbd06af9304f462d9787
Opcode Fuzzy Hash: 1ce5ac11526cec9a97961a4bc16748259dd2bd8eb71e90f4cd14551b7d829d5f
Instruction Fuzzy Hash: 0741C078E01209CFDB04EFA5D594BEDBBF2BF88314F10912AD805A7298EB745A46CF50

Function 0106D76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4152491508591638bf0c8e75d3e52edc0182cfa265f67d946af6fcc3570830aa
Instruction ID: 0d0f7f9f65dc3804baa220986f22cd63c20db595388d6cb4a310e96bf0a72739
Opcode Fuzzy Hash: 4152491508591638bf0c8e75d3e52edc0182cfa265f67d946af6fcc3570830aa
Instruction Fuzzy Hash: A2414570E00248CFCB10DFE8D494AEDBBFAFB49304F209229D489A7255E7799842CF55

Function 0106D620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de66deabf97fa6f5796b2e872e639738bdc39580a50a303e6a715d0c37c4c9d2
Instruction ID: 90939d561fb09aecd13380cb58f0ccf1c96a6c303ab58459485fa501e7a2baf3
Opcode Fuzzy Hash: de66deabf97fa6f5796b2e872e639738bdc39580a50a303e6a715d0c37c4c9d2
Instruction Fuzzy Hash: 02410770E01248CBDB04DFA9D444AEEFBFABF89304F14D129D488A7255EB759842CF65

Function 01064DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de41aa9d30e913a228c7a0185b317ba1cd3d29c6f6ad7482c521c9d095c30ba
Instruction ID: 6e8c44f8a1cefed5a61ea8572cd121baf72666ccb5982c2ee3f41c52aeb7926d
Opcode Fuzzy Hash: 9de41aa9d30e913a228c7a0185b317ba1cd3d29c6f6ad7482c521c9d095c30ba
Instruction Fuzzy Hash: 7D31A031708149EFCB55AFA8D854AAF7FA6FB88300F104015FA95C7245CB39CD21DBA1

Function 0573DCB9 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d2ecd479c32ec690f0d91972c4739dd2db7bb64a66d8858d90d895d08597a5
Instruction ID: 06b66a1261be3a6881223411a929e72dad6e94bc47398958e35cc5821b259ac5
Opcode Fuzzy Hash: 92d2ecd479c32ec690f0d91972c4739dd2db7bb64a66d8858d90d895d08597a5
Instruction Fuzzy Hash: 7D31D13180635ACFD700AFB1E82C7EEBBB1FB4A312F004859D545A72A5CB780A48CF60

Function 010676D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29aae58307c3f56b731389ecc7ee90ef7fb41bcd838411eb1c408f89f28c6450
Instruction ID: 5b3c76537d847c2fcfdb78d8fa800546c3cdbcff4c1f53cb923804146352b5d9
Opcode Fuzzy Hash: 29aae58307c3f56b731389ecc7ee90ef7fb41bcd838411eb1c408f89f28c6450
Instruction Fuzzy Hash: CF21A7343046454BEB26173D8C5463D7ADBBFC961D71440B9D581CB796EE2D8C41E781

Function 0106A809 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f78c333b4254770548f8a186fee090acd062d4fa38eabf98f09706700b1fcba
Instruction ID: 462f82286ab2eb5391937e400ef0153c00abfd7992f486c5fd2446962c9365ca
Opcode Fuzzy Hash: 9f78c333b4254770548f8a186fee090acd062d4fa38eabf98f09706700b1fcba
Instruction Fuzzy Hash: D431B770B00505CFCB04DF6DC8849AEBBB6FF85350B258559E595AB3A2CB359C02CBA0

Function 0106DF79 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b3318421629ab0716704de02ccc08b21d95435d57965f0f76c112a751e5e5f0
Instruction ID: 763c1b09ff2274cd7f04474d4ed4cf46faf3180f9bec0331b14a791489c5c970
Opcode Fuzzy Hash: 3b3318421629ab0716704de02ccc08b21d95435d57965f0f76c112a751e5e5f0
Instruction Fuzzy Hash: 1721B171E00249CBDB04DFEAD8046EDBBFAEFCA300F04D465D584A72A5DB708545CB65

Function 010676E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f454c20f68e0ce8a0e904a7b8016bc96e136e50b6ba6f93cb9b958373a229dfb
Instruction ID: 225c5ef09237482b0ac8fe302cbb39dfd5fb9233de73463326bcc5d74c4aa1e7
Opcode Fuzzy Hash: f454c20f68e0ce8a0e904a7b8016bc96e136e50b6ba6f93cb9b958373a229dfb
Instruction Fuzzy Hash: CC2195343142054BEB2516398854A7E36DFBFC871DF1440B9D682CB799EE6DCC81E781

Function 0106D122 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ac1b0ec00bd711c5cd4792846796d97fee2288af8f7a7f1382276f6d029f60
Instruction ID: a53654dbdb27e9c574b884121354037f8b8ffaf3308702fd22eb0d51f3319f88
Opcode Fuzzy Hash: 10ac1b0ec00bd711c5cd4792846796d97fee2288af8f7a7f1382276f6d029f60
Instruction Fuzzy Hash: 1D215A31D10209DECF01EFE8E8146ECFBB8EF0A315F009665D9847B254EB70AA5ACB54

Function 01062060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f7feca10aa2231ae8d75193d85fa837d4d74d5393aebab25d022ece438dcd48
Instruction ID: ac9be5beb63eab2ff59621daf72c839dac4f0d9ab393123802dd0def3afb27eb
Opcode Fuzzy Hash: 7f7feca10aa2231ae8d75193d85fa837d4d74d5393aebab25d022ece438dcd48
Instruction Fuzzy Hash: 6721C735A00105DFCF14DF64C8509AE77BAEB9D260F10C85DE9498B385EB32EA41CBD1

Function 01065A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8648461705c6483ed608f17adad750b3084c487adef6babb2e11ea3e3f25e92c
Instruction ID: 99a6fa631b8510c720d9b25af20bf3a47193d64d4ca64749708f6d0c734999ba
Opcode Fuzzy Hash: 8648461705c6483ed608f17adad750b3084c487adef6babb2e11ea3e3f25e92c
Instruction Fuzzy Hash: F321C0317056159BD725AB29C8A492EBBAAFB8879071441A9E986CB354DE35DC02CBC0

Function 00D0D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4605324469.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_d0d000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef2a11324c6f6fa8231328a6a8c3cde61070878ce505414323760ad2509f6daf
Instruction ID: 202eeb8900d0137ce6342fd39c00a63343a006b4646914db13e259f945c09473
Opcode Fuzzy Hash: ef2a11324c6f6fa8231328a6a8c3cde61070878ce505414323760ad2509f6daf
Instruction Fuzzy Hash: 1E213475504304EFCB14CF60D9C0B26BB62FB84314F24C56EE94D0B292CB7AD846CA72

Function 05739AF9 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e639c3d256d2136c762c76aeeaffaf30eb58adb0471011b586505f6f4e0be1
Instruction ID: 25fbcfcb30e975f3adab3454194776245661a4faea6a34f0d03255a79816cc00
Opcode Fuzzy Hash: c3e639c3d256d2136c762c76aeeaffaf30eb58adb0471011b586505f6f4e0be1
Instruction Fuzzy Hash: E3113D367043685FDB4A6FB8586466E3FB3DFC9250B14442AE505EB3C1DF384D028796

Function 0573E0C8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc757c6c731580f16334a90203854e793e8d9268663a934579e2c4e93fa53d46
Instruction ID: 537bd027c31e21f4bd34d035a4d5a3074c36a01eb0d87aa723c6dbc37eff3a7b
Opcode Fuzzy Hash: bc757c6c731580f16334a90203854e793e8d9268663a934579e2c4e93fa53d46
Instruction Fuzzy Hash: 081125317182948FD70506799C1427BBEAFAFCA220B588077E985C7397DD298C069771

Function 0106D60F Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9dc5cf3bd2214d4f6c14d857f1b46ee99e3a5916fdb85a9f8943b25df0b327e
Instruction ID: bd1f380c2c562a4cbd8b7fc22026470cb2492b59c9eacd07104b881beb70e9bb
Opcode Fuzzy Hash: d9dc5cf3bd2214d4f6c14d857f1b46ee99e3a5916fdb85a9f8943b25df0b327e
Instruction Fuzzy Hash: DF117F70E006488BDB04DFAAC8086DEFBF6AFCD301F04C065D488AB255EB3049468F55

Function 0106E1FB Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d2cccb74201c12edd728af0289c250e105caeb4016f58ebe4ec0ff4faa86af8
Instruction ID: 1101330ca41779a2e00ba2d6171814e4b96e4c9562fe94901a03d79500a1a428
Opcode Fuzzy Hash: 6d2cccb74201c12edd728af0289c250e105caeb4016f58ebe4ec0ff4faa86af8
Instruction Fuzzy Hash: 2F21927090524ADFDB45EFB8D95069EBFF1FF85304F0095A9C1489B326EB705A468B81

Function 01061F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cbe6cc8520d334a0fdf2f8143e36785a52f233146076672773b30f33af395a
Instruction ID: 472a59b067412066c7aa64d4fd73c068135737af98738c998315d7087ec60af3
Opcode Fuzzy Hash: 70cbe6cc8520d334a0fdf2f8143e36785a52f233146076672773b30f33af395a
Instruction Fuzzy Hash: B021C2B4C04249CFCB41EFA8D8455EEBFF1BF49300F5051AAD849B7224EB355A95CBA1

Function 0573964C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948ef9ce0e3abccdf02a48c827b1da8b20277e9e0697313932b1ec82141472b2
Instruction ID: 8fa6ff88f6491cf8c065174bd36ca2de305ded31f95eca91c1b46291eb823fc9
Opcode Fuzzy Hash: 948ef9ce0e3abccdf02a48c827b1da8b20277e9e0697313932b1ec82141472b2
Instruction Fuzzy Hash: CD1144B2800249DFDB10DF99C945BEEBBF5EF48320F108419EA14A7211C379A554DFA1

Function 01061F08 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a11c86540fb1e7adcaff04e15be7f69aeeb3e5f82b7161c1812870a15d52bf8
Instruction ID: a782c5a3ffee78fe7bc3e3b86c72022864f3453cf6e3e117eb8a3b727c7322dc
Opcode Fuzzy Hash: 6a11c86540fb1e7adcaff04e15be7f69aeeb3e5f82b7161c1812870a15d52bf8
Instruction Fuzzy Hash: AB2122B4C082098FCB50EFA8D8445EEBFB4FF49300F54816AD985B7364EB315A85CBA1

Function 05739DA1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13dc3a49d1f141d2ba73e3c43d33cc7c3af08fe85b6347775133627384864e1
Instruction ID: d7b8b494e5b41c9909c7d790abd0eaebecb8afafc9bfdc9b9eb89e6c060f25ed
Opcode Fuzzy Hash: d13dc3a49d1f141d2ba73e3c43d33cc7c3af08fe85b6347775133627384864e1
Instruction Fuzzy Hash: 201126B6800249DFDB10CF9AC845BDEBFF4EF48320F148419E654A7251C379A554DFA5

Function 057392C9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4613127460.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5730000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8465e25918fc012677e15f7516275ef3db4b8f7678aa1f0145da38bf8d3a22
Instruction ID: aa4b2646f792c4497758b57e70a752495f7c373d26b76de269354a66149faa97
Opcode Fuzzy Hash: df8465e25918fc012677e15f7516275ef3db4b8f7678aa1f0145da38bf8d3a22
Instruction Fuzzy Hash: 62117C78F001498FEB04DFF8D841BAEBBB2AB89310F009161E908A734AE67199428B50

Function 0106E208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d11cec480a8218d76497a10c988456a018822de71af17c684c507dc6854437
Instruction ID: 3ace5832ea1606c8cc681c9de3a598da120f362d43dd025da0e1c105e61a89df
Opcode Fuzzy Hash: b2d11cec480a8218d76497a10c988456a018822de71af17c684c507dc6854437
Instruction Fuzzy Hash: 461193B0D0120ADFDB44EFB8D95079EBFF2FB84304F0096A9C108AB715EB745A468B81

Function 00D0D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4605324469.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_d0d000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: acf6d07f6a68840efa8b56783bf89d2ea8310fa909740555924cb354079e00ef
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 69119D79504284DFCB15CF50D9C4B15BBA2FB84318F28C6AAD84D4B696C73AD84ACF62

Function 01065607 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab01437983287ccd5447bbb6253e80b53848cde05c2c7847e827ba7ff6737f9e
Instruction ID: b095ce7a06257fcfeb75dd53fc942f34a7559635d8bb54eace352d54a6eebf26
Opcode Fuzzy Hash: ab01437983287ccd5447bbb6253e80b53848cde05c2c7847e827ba7ff6737f9e
Instruction Fuzzy Hash: F701F571704104AFDB419E64A800BEF7BEBDBC8391F18806AFA85C7240CE358C028791

Function 0106D11A Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c97d4b4856bcd277c531a62491018d61fe982c66920f0167df1b239125706d
Instruction ID: 0eb59430974cbf11cc6a5559c911965f33d0f631bc06d884886dbce9f92b85e3
Opcode Fuzzy Hash: e5c97d4b4856bcd277c531a62491018d61fe982c66920f0167df1b239125706d
Instruction Fuzzy Hash: E3F0427006974ACBD3202FA0B4AC02E7B30EB5F32B3056E81E0CE85599DB2A0455CB14

Function 0106D449 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3e0e8feaf6d4acfba800ef4344d003f95b64adbe59e5eafe09ac9283c36c8e4
Instruction ID: 2d3f0e03bf518786fbd2c133c0d9e31c0b5574d8f78daaea8dcd076a2b291c65
Opcode Fuzzy Hash: b3e0e8feaf6d4acfba800ef4344d003f95b64adbe59e5eafe09ac9283c36c8e4
Instruction Fuzzy Hash: 1DF05530A4464AD7CB019FA9FC086EAB3B8AB8B301F4014A0D588DB291DF3158018BA0

Function 0106DF08 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a28b292383d8c1791e8c86bbb88b053ce4e7eee1c80d1bbe12a9b1e68d997d2
Instruction ID: 620416004d7d8d2ca08791d0c1510076ec33abbdadecddd6c3badfdef82ecb2d
Opcode Fuzzy Hash: 8a28b292383d8c1791e8c86bbb88b053ce4e7eee1c80d1bbe12a9b1e68d997d2
Instruction Fuzzy Hash: FFF0E534A04749CBDB059FA9A8047EAB7B5EB8B301F4518A4D584A72A1DFB09908CBE5

Function 0106DEB0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11650230a06e92e9613c89e003c05959eea95b45c5308c18bf64d96feeeb3e3b
Instruction ID: 428716b0d852fce8623d6aedb1f48d9975ffce90fab3e8a0d79702d58b431e11
Opcode Fuzzy Hash: 11650230a06e92e9613c89e003c05959eea95b45c5308c18bf64d96feeeb3e3b
Instruction Fuzzy Hash: C0F03471B11225CFCB84EFBCC844AAE7BF4AF08210B2144B9D54ADB321EB30DA008BD0

Function 01062010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f981439c93bdac8e3a2976907d69ad24b005f153bf73cae9daae1bd736fa414
Instruction ID: 02b0d4b49d304aaf8f60fed8df44c04f6597b9ea5e6f7f6498723cea8952b0e7
Opcode Fuzzy Hash: 1f981439c93bdac8e3a2976907d69ad24b005f153bf73cae9daae1bd736fa414
Instruction Fuzzy Hash: 59E022318203ABC7CB029BBAEC000DEBF34EE93210B400197E0242B112E770264AD3A2

Function 0106D4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184dd5c06fa7fcddf17535bbd8779d67fb8f1765940bee4aac8c01e019866033
Instruction ID: 3e99dd4e899076fed549a68aca340e1d5af7bc029e31a50ceedb605a764f9e74
Opcode Fuzzy Hash: 184dd5c06fa7fcddf17535bbd8779d67fb8f1765940bee4aac8c01e019866033
Instruction Fuzzy Hash: FCE0D893E0C240CBD7105BE564151B97F74DDD325174461C7C0C9C7525DB55DA069B11

Function 01062020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3e494ae7b00c7d3588d7cb022b86a09a510b84bf27507ae6976796fa3af4bff
Instruction ID: 9b44438f306742223ab7b2fb5e83c9f40eaf4e06d6a9e4a6c89f4adb3948baf4
Opcode Fuzzy Hash: b3e494ae7b00c7d3588d7cb022b86a09a510b84bf27507ae6976796fa3af4bff
Instruction Fuzzy Hash: 80D01231D2022B968B00A6A5DC044DEB739EE96261B904626D51537144EB71265986E1

Function 01068258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 013c576713a578446635506b6b4dee3f961c3455b8f39ee73868bf8f47cff4f9
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: D9C08C3320C2382AA635108F7C40EB7BB8CC3C13F4A258177FA9CE3200A8429C8001F9

Function 0106A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae3fa4146a66c127e27a39cfb3aa182d5683c5ffc03e7ffab0e1ecb93c615521
Instruction ID: 6f067557917a9a7f161b9e52505c800765e42cd8eedeee3449af2f815d7aec4d
Opcode Fuzzy Hash: ae3fa4146a66c127e27a39cfb3aa182d5683c5ffc03e7ffab0e1ecb93c615521
Instruction Fuzzy Hash: ADD0677AB11108DFCF149F98E8409DDB7B6FB9C221B048126E915A3265C6319921DB50

Function 01065EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d05c4fa67ae3bc89f046fdf545850d0a3701781f6a7dc04e3dde4a67684340e
Instruction ID: 74de91b576c1393534768a0b265ef7ce0dceffa403e3c034e0435ffdfe6ad007
Opcode Fuzzy Hash: 7d05c4fa67ae3bc89f046fdf545850d0a3701781f6a7dc04e3dde4a67684340e
Instruction Fuzzy Hash: 53D0C2305093CA8BC712F774E9128683F2569C2208B8050DDA5484F81BEDBD081D4792

Function 01065EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4606601607.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1060000_FTlLqTRGrXZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53587ef914424d156664c7739dba0251371ddf2e0a05de282e676699676b4d1b
Instruction ID: 240f8db20938dbaa3a918a46e637e051b989b8813e01e74192dccebbb85dd0d1
Opcode Fuzzy Hash: 53587ef914424d156664c7739dba0251371ddf2e0a05de282e676699676b4d1b
Instruction Fuzzy Hash: 58C0223060434EC7C104FBB0EA028583B1AA6C0304F40A118B20D0B81AEEBC180803D1

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Order_List.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FTlLqTRGrXZr.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order_List.scr.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ca333zeh.eqb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d52pqcyz.tuq.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fa5pdexa.s53.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhmqiccc.shq.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gv4ucgsn.z0m.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lc4yl3jc.4hi.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npv3wvow.uui.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p3hiayb1.sfc.psm1

C:\Users\user\AppData\Local\Temp\tmp5251.tmp

Windows Analysis Report
Order_List.scr.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre